Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
* indicates the dependency has a known exploited vulnerability
Dependencies
HdrHistogram-2.1.9.jar
Description:
HdrHistogram supports the recording and analyzing sampled data value
counts across a configurable integer value range with configurable value
precision within the range. Value precision is expressed as the number of
significant digits in the value recording, and provides control over value
quantization behavior across the value range and the subsequent value
resolution at any given level.
License:
Public Domain, per Creative Commons CC0: http://creativecommons.org/publicdomain/zero/1.0/
File Path: /home/khannasa/.m2/repository/org/hdrhistogram/HdrHistogram/2.1.9/HdrHistogram-2.1.9.jar MD5: ee302e5e7489719991aa0ca2dd67febd SHA1: e4631ce165eb400edecfa32e03d3f1be53dee754 SHA256:95d40913be28dfd439cefea9170c40898ea84f11f25e6ff8de50339b8a7b5e3e Referenced In Project/Scope: java-sec-code:runtime HdrHistogram-2.1.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/net/minidev/accessors-smart/1.1/accessors-smart-1.1.jar MD5: b75cda0d7dadff9e6c20f4e7f3c3bc82 SHA1: a527213f2fea112a04c9bdf0ec0264e34104cd08 SHA256:e6e04753913546da3ff0fbf532ac2831d0266f69246b1e6e295ba367aa9f02a5 Referenced In Project/Scope: java-sec-code:compile accessors-smart-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.jayway.jsonpath/json-path@2.2.0
File Path: /home/khannasa/.m2/repository/org/codehaus/mojo/animal-sniffer-annotations/1.14/animal-sniffer-annotations-1.14.jar MD5: 9d42e46845c874f1710a9f6a741f6c14 SHA1: 775b7e22fb10026eed3f86e8dc556dfafe35f2d5 SHA256:2068320bd6bad744c3673ab048f67e30bef8f518996fa380033556600669905d Referenced In Project/Scope: java-sec-code:compile animal-sniffer-annotations-1.14.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.guava/guava@23.0
A framework for constructing recognizers, compilers,
and translators from grammatical descriptions containing
Java, C#, C++, or Python actions.
License:
BSD License: http://www.antlr.org/license.html
File Path: /home/khannasa/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar MD5: f8f1352c52a4c6a500b597596501fc64 SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0 SHA256:88fbda4b912596b9f56e8e12e580cc954bacfb51776ecfddd3e18fc1cf56dc4c Referenced In Project/Scope: java-sec-code:runtime antlr-2.7.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
File Path: /home/khannasa/.m2/repository/org/antlr/antlr-runtime/3.4/antlr-runtime-3.4.jar MD5: 0e0318be407e51fdf7ba6777eabfdf73 SHA1: 8f011408269a8e42b8548687e137d8eeb56df4b4 SHA256:5b7cf53b7b30b034023f58030c8147c433f2bee0fe7dec8fae6bebf3708c5a63 Referenced In Project/Scope: java-sec-code:runtime antlr-runtime-3.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar MD5: 04177054e180d09e3998808efa0401c7 SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8 SHA256:0addec670fedcd3f113c5c8091d783280d23f75e3acb841b61a9cdb079376a08 Referenced In Project/Scope: java-sec-code:compile aopalliance-1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-web@4.2.12.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/archaius/archaius-core/0.7.4/archaius-core-0.7.4.jar MD5: 7179ec4e4ff48cc8424a24bd2861526e SHA1: d6b5e5c541452248fd8565ccd0732623c81a30b5 SHA256:9da22d7942720579ed1abf87b030192fee6d8d4a914ae8841ce9f25175a7e17b Referenced In Project/Scope: java-sec-code:compile archaius-core-0.7.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/asm/asm/3.3.1/asm-3.3.1.jar MD5: 1ad1e8959324b0f680b8e62406955642 SHA1: 1d5f20b4ea675e6fab6ab79f1cd60ec268ddc015 SHA256:c2b39275f8e951bc74750080a1266cdabc39399bc5e13d642bf2d346449df7f3 Referenced In Project/Scope: java-sec-code:compile asm-3.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.commons/commons-digester3@3.2
File Path: /home/khannasa/.m2/repository/org/ow2/asm/asm/5.0.4/asm-5.0.4.jar MD5: c8a73cdfdf802ab0220c860d590d0f84 SHA1: 0da08b8cce7bbf903602a25a3a163ae252435795 SHA256:896618ed8ae62702521a78bc7be42b7c491a08e6920a15f89a3ecdec31e9a220 Referenced In Project/Scope: java-sec-code:compile asm-5.0.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Bouncy Castle Java APIs for CMS, PKCS, EAC, TSP, CMP, CRMF, OCSP, and certificate generation. This jar contains APIs for JDK 1.5 to JDK 1.8. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs.
File Path: /home/khannasa/.m2/repository/org/bouncycastle/bcpkix-jdk15on/1.55/bcpkix-jdk15on-1.55.jar MD5: 9e17685b340a4e22fec6733cf65ed5ac SHA1: 6392d8cba22b722c6570d660ca0b3921ff1bae4f SHA256:d7cc06e92f0d117989cc7035f697c69c7c355838b2de3dc35491441afea09ca9 Referenced In Project/Scope: java-sec-code:compile bcpkix-jdk15on-1.55.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
File Path: /home/khannasa/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.55/bcprov-jdk15on-1.55.jar MD5: cbf56e979aba0e551a57953080e115f0 SHA1: 935f2e57a00ec2c489cbd2ad830d4a399708f979 SHA256:c08450a176b55c7ef4847111550eb247e5912ad450c8c225fa2f7cab74ce608b Referenced In Project/Scope: java-sec-code:compile bcprov-jdk15on-1.55.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
CWE-347 Improper Verification of Cryptographic Signature
In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
CWE-347 Improper Verification of Cryptographic Signature
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as "ROBOT."
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
In engineSetMode of BaseBlockCipher.java, there is a possible incorrect cryptographic algorithm chosen due to an incomplete comparison. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-148517383
In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.
In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
Byte Buddy is a Java library for creating Java classes at run time.
This artifact is a build of Byte Buddy with a remaining dependency onto ASM.
You should never depend on this module without repackaging Byte Buddy and ASM into your own namespace.
Byte Buddy is a Java library for creating Java classes at run time.
This artifact is a build of Byte Buddy with all ASM dependencies repackaged into its own name space.
File Path: /home/khannasa/.m2/repository/net/bytebuddy/byte-buddy/1.8.12/byte-buddy-1.8.12.jar MD5: a0f02ee29fce337c4c18d1309d5ccaee SHA1: 82a340b11ea0a55e5d51b3ae559003454b8bf320 SHA256:864fe160fb4d42e9bfd1fb256589cd3b6d003d6c0d90764283def5cb2987f8e2 Referenced In Project/Scope: java-sec-code:compile byte-buddy-1.8.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.springfox/springfox-swagger2@2.9.2
File Path: /home/khannasa/.m2/repository/cglib/cglib/2.2.2/cglib-2.2.2.jar MD5: b3f681be48fce094cf01a045f5bdca6f SHA1: a47a971686474124562bdd4a7ccbd8ac8c3e8b11 SHA256:a93e4485d274277177480c4afe6ddd8355cda1cacfe356c134e25d65193935fd Referenced In Project/Scope: java-sec-code:compile cglib-2.2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.commons/commons-digester3@3.2
Checker Qual is the set of annotations (qualifiers) and supporting classes
used by the Checker Framework to type check Java source code.
Please
see artifact:
org.checkerframework:checker
License:
The MIT License: http://opensource.org/licenses/MIT
File Path: /home/khannasa/.m2/repository/org/checkerframework/checker-qual/3.5.0/checker-qual-3.5.0.jar MD5: 4464def1ed5c10f248ebfe1bccbedf1a SHA1: 2f50520c8abea66fbd8d26e481d3aef5c673b510 SHA256:729990b3f18a95606fc2573836b6958bcdb44cb52bfbd1b7aa9c339cff35a5a4 Referenced In Project/Scope: java-sec-code:runtime checker-qual-3.5.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.postgresql/postgresql@42.3.1
Library for introspecting types with full generic information
including resolving of field and method types.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/fasterxml/classmate/1.3.3/classmate-1.3.3.jar MD5: 85986d1c6a2a58901ab1ca64ff4d8a50 SHA1: 864c8e370a691e343210cc7c532fc198cee460d8 SHA256:607852e0e8d608183b6dba8e6064726ff4c7895e128196885fb5a2df481df344 Referenced In Project/Scope: java-sec-code:compile classmate-1.3.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.springfox/springfox-swagger2@2.9.2
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/commons-beanutils/commons-beanutils/1.9.4/commons-beanutils-1.9.4.jar MD5: 07dc532ee316fe1f2f0323e9bd2f8df4 SHA1: d52b9abcd97f38c81342bb7e7ae1eee9b73cba51 SHA256:7d938c81789028045c08c065e94be75fc280527620d5bd62b519d5838532368a Referenced In Project/Scope: java-sec-code:compile commons-beanutils-1.9.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
File Path: /home/khannasa/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar MD5: 353cf6a2bdba09595ccfa073b78c7fcb SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8 SHA256:4241dfa94e711d435f29a4604a3e2de5c4aa3c165e23bd066be6fc1fc4309569 Referenced In Project/Scope: java-sec-code:compile commons-codec-1.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.httpcomponents/httpclient@4.5.12
Types that extend and augment the Java Collections Framework.
File Path: /home/khannasa/.m2/repository/commons-collections/commons-collections/3.1/commons-collections-3.1.jar MD5: d1dcb0fbee884bb855bb327b8190af36 SHA1: 40fb048097caeacdb11dbb33b5755854d89efdeb SHA256:c1547d185ba6880bcc2da261c5f7533512b6ffdbbc1898db5b793c0cb830fcf0 Referenced In Project/Scope: java-sec-code:compile commons-collections-3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
File Path: /home/khannasa/.m2/repository/commons-configuration/commons-configuration/1.8/commons-configuration-1.8.jar MD5: a69448e8c1e24d989266083c301e354b SHA1: 6cce40435bcd8018018f16898de01976b319941a SHA256:e229cf1fe95f7147cbc1f8d31affc07087c206bc8dc7e5b05b6be670910f87ba Referenced In Project/Scope: java-sec-code:compile commons-configuration-1.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Commons Digester package lets you configure an XML to Java
object mapping module which triggers certain actions called rules whenever
a particular pattern of nested XML elements is recognized.
File Path: /home/khannasa/.m2/repository/org/apache/commons/commons-digester3/3.2/commons-digester3-3.2.jar MD5: 41d2c62c7aedafa7a3627794abc83f71 SHA1: c3f68c5ff25ec5204470fd8fdf4cb8feff5e8a79 SHA256:1c150e3d2df4b4237b47e28fea2079fb0da324578d5cca6a5fed2e37a62082ec Referenced In Project/Scope: java-sec-code:compile commons-digester3-3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
File Path: /home/khannasa/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar MD5: 8ad8c9229ef2d59ab9f59f7050e846a5 SHA1: 964cd74171f427720480efdec40a7c7f6e58426a SHA256:dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443 Referenced In Project/Scope: java-sec-code:compile commons-httpclient-3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
The Apache Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
File Path: /home/khannasa/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar MD5: e2d74794fba570ec2115fb9d5b05dc9b SHA1: 2852e6e05fbb95076fc091f6d1780f1f8fe35e0f SHA256:a10418348d234968600ccb1d988efcbbd08716e1d96936ccc1880e7d22513474 Referenced In Project/Scope: java-sec-code:compile commons-io-2.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
A Java-based implementation of XPath 1.0 that, in addition to XML processing, can inspect/modify Java object graphs (the library's explicit purpose) and even mixed Java/XML structures.
File Path: /home/khannasa/.m2/repository/commons-jxpath/commons-jxpath/1.3/commons-jxpath-1.3.jar MD5: 61a9aa8ff43ba10853571d57f724bf88 SHA1: c22d7d0f0f40eb7059a23cfa61773a416768b137 SHA256:fcbc0ad917d9d6a73c6df21fac322e00d213ef19cd94815a007c407a8a3ff449 Referenced In Project/Scope: java-sec-code:runtime commons-jxpath-1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2022-41852 for details
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. The CVE was then allocated by Google in breach of the CNA rules. After review by the JXPath maintainers, the original report was found to be invalid.
** DISPUTED ** This record was originally reported by the oss-fuzz project who failed to consider the security context in which JXPath is intended to be used and failed to contact the JXPath maintainers prior to requesting the CVE allocation. The CVE was then allocated by Google in breach of the CNA rules. After review by the JXPath maintainers, the original report was found to be invalid.
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
File Path: /home/khannasa/.m2/repository/commons-lang/commons-lang/2.4/commons-lang-2.4.jar MD5: 237a8e845441bad2e535c57d985c8204 SHA1: 16313e02a793435009f1e458fa4af5d879f6fb11 SHA256:2c73b940c91250bc98346926270f13a6a10bb6e29d2c9316a70d134e382c873e Referenced In Project/Scope: java-sec-code:compile commons-lang-2.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
File Path: /home/khannasa/.m2/repository/commons-logging/commons-logging/1.1.3/commons-logging-1.1.3.jar MD5: 92eb5aabc1b47287de53d45c086a435c SHA1: f6f66e966c70a83ffbdb6f17a0919eaf7c8aca7f SHA256:70903f6fc82e9908c8da9f20443f61d90f0870a312642991fe8462a0b9391784 Referenced In Project/Scope: java-sec-code:compile commons-logging-1.1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.httpcomponents/fluent-hc@4.3.6
The Math project is a library of lightweight, self-contained mathematics and statistics components addressing the most common practical problems not immediately available in the Java programming language or commons-lang.
File Path: /home/khannasa/.m2/repository/org/apache/commons/commons-math/2.2/commons-math-2.2.jar MD5: 4b65633769a2d3c532c86188648bb380 SHA1: 4877b85d388275f994a5cfc7eceb73a8045d3006 SHA256:15993bb2a3cf50f3291b40fc980a3166a0984e7b5f1abbe5232151fd94954584 Referenced In Project/Scope: java-sec-code:runtime commons-math-2.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
Apache Commons Net library contains a collection of network utilities and protocol implementations.
Supported protocols include: Echo, Finger, FTP, NNTP, NTP, POP3(S), SMTP(S), Telnet, Whois
License:
https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/commons-net/commons-net/3.6/commons-net-3.6.jar MD5: b46661b01cc7aeec501f1cd3775509f1 SHA1: b71de00508dcb078d2b24b5fa7e538636de9b3da SHA256:d3b3866c61a47ba3bf040ab98e60c3010d027da0e7a99e1755e407dd47bc2702 Referenced In Project/Scope: java-sec-code:compile commons-net-3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
File Path: /home/khannasa/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar MD5: 4d8f51d3fe3900efc6e395be48030d6d SHA1: 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94 SHA256:593552ffea3c5823c6602478b5002a7c525fd904a3c44f1abe4065c22edfac73 Referenced In Project/Scope: java-sec-code:compile dom4j-1.6.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.poi/poi-ooxml@3.9
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
An issue in dom4.j org.dom4.io.SAXReader v.2.1.4 and before allows a remote attacker to obtain sensitive information via the setFeature function. NOTE: the vendor and original reporter indicate that this is not a vulnerability because setFeature only sets features, which "can be safe in one case and unsafe in another."
BSD 3-clause New License: https://github.com/dom4j/dom4j/blob/master/LICENSE
File Path: /home/khannasa/.m2/repository/org/dom4j/dom4j/2.1.0/dom4j-2.1.0.jar MD5: dcd0b683599cb29fd0a684d54c38e71d SHA1: 6ad46940de4d721df3d6bbcd2977149742095445 SHA256:95b11e251e4f0fdcc5d1b3b984d30452260f65d1b382c7aea1448d2b83e8c222 Referenced In Project/Scope: java-sec-code:compile dom4j-2.1.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
An issue in dom4.j org.dom4.io.SAXReader v.2.1.4 and before allows a remote attacker to obtain sensitive information via the setFeature function. NOTE: the vendor and original reporter indicate that this is not a vulnerability because setFeature only sets features, which "can be safe in one case and unsafe in another."
File Path: /home/khannasa/.m2/repository/com/google/errorprone/error_prone_annotations/2.0.18/error_prone_annotations-2.0.18.jar MD5: 98051758c08c9b7111b3268655069432 SHA1: 5f65affce1684999e2f4024983835efc3504012e SHA256:cb4cfad870bf563a07199f3ebea5763f0dec440fcda0b318640b1feaa788656b Referenced In Project/Scope: java-sec-code:compile error_prone_annotations-2.0.18.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.guava/guava@23.0
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/eureka/eureka-client/1.4.11/eureka-client-1.4.11.jar MD5: 300834c68798cdfc2febdd2ec8de3d1c SHA1: ea776c57b92c7674bb64b891a106abdbad62e5dc SHA256:a854eb84f788789b7948d5277557f9e265095cbcd5be6621997750df3b4faea7 Referenced In Project/Scope: java-sec-code:compile eureka-client-1.4.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/eureka/eureka-core/1.4.11/eureka-core-1.4.11.jar MD5: dca2a549f604d6951b9f7dde6e415adb SHA1: bc65cd5d0d1384db43d752621e989980f3c05819 SHA256:cda890ffed460f8daf3fd9f7483fac2858e2a1b8b96d60edbdad2b7eba1d5c01 Referenced In Project/Scope: java-sec-code:compile eureka-core-1.4.11.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/com/alibaba/fastjson/1.2.24/fastjson-1.2.24.jar MD5: 036e7cdd77ba14322ff3a38fc4e1cfbe SHA1: a2b82688715ee16d874d90229d204daf3efcac8e SHA256:1b4ebbb73676b7048966f5165a9310fb81c761eeab9eb2e2d361b70ff9450c66 Referenced In Project/Scope: java-sec-code:compile fastjson-1.2.24.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
parseObject in Fastjson before 1.2.25, as used in FastjsonEngine in Pippo 1.11.0 and other products, allows remote attackers to execute arbitrary code via a crafted JSON request, as demonstrated by a crafted rmi:// URI in the dataSourceName field of HTTP POST data to the Pippo /json URI, which is mishandled in AjaxApplication.java.
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable [safeMode](https://github.com/alibaba/fastjson/wiki/fastjson_safemode).
File Path: /home/khannasa/.m2/repository/org/apache/httpcomponents/fluent-hc/4.3.6/fluent-hc-4.3.6.jar MD5: 10ddea0d53cc157876ecd6653b3b31f0 SHA1: 57cc6e104beef81737fcbfaf22c3c755e22171d2 SHA256:0d042c4e4a348352fe02f1dff108fd20692f5351f000f8e374abeb3b63054fc8 Referenced In Project/Scope: java-sec-code:compile fluent-hc-4.3.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/governator/governator/1.12.10/governator-1.12.10.jar MD5: ecded6ff66b8473ef843abf2e2144243 SHA1: 15348d5565642cc2f0903f4cacfedf57b87d582f SHA256:454a451f66fb62b0a2e14a8294784439f3d6c27e38dcc111e7423a5f72c9acf1 Referenced In Project/Scope: java-sec-code:runtime governator-1.12.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/governator/governator-api/1.12.10/governator-api-1.12.10.jar MD5: 636bb4bc2a36ab036acce155cb696767 SHA1: dc148726471b269f58789f74826ebcb7d0901462 SHA256:b296338d18cf4fd2217cc60deeb496ffa6db7285e7c1c36857ef654de87f1e4c Referenced In Project/Scope: java-sec-code:runtime governator-api-1.12.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/governator/governator-core/1.12.10/governator-core-1.12.10.jar MD5: 0a2c8a42ee2ac7fba4971d059c78c65f SHA1: 87401d6d5ec5d32323b007f1a8a4f2b7a7527c36 SHA256:54cb27b0d02bbf48cae4ea25c1c10252e8de06f4e26c6b10c1f17ce187efacc9 Referenced In Project/Scope: java-sec-code:runtime governator-core-1.12.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/codehaus/groovy/groovy/2.4.7/groovy-2.4.7.jar MD5: 527fe0ab66e77d28a9134c213dd7e8a1 SHA1: 10870e6511f544ce45152d0ad08d7514a00c8201 SHA256:3a979e626477cef5dda735fa8f005a20e080104821e63a760be6db2f022b1523 Referenced In Project/Scope: java-sec-code:compile groovy-2.4.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@1.5.1.RELEASE
When an application with unsupported Codehaus versions of Groovy from 1.7.0 to 2.4.3, Apache Groovy 2.4.4 to 2.4.7 on classpath uses standard Java serialization mechanisms, e.g. to communicate between servers or to store local data, it was possible for an attacker to bake a special serialized object that will execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects were subject to this vulnerability.
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
File Path: /home/khannasa/.m2/repository/com/google/code/gson/gson/2.8.0/gson-2.8.0.jar MD5: a42f1f5bfa4e6f123ddcab3de7e0ff81 SHA1: c4ba5371a29ac9b2ad6129b1d39ea38750043eff SHA256:c6221763bd79c4f1c3dc7f750b5f29a0bb38b367b81314c4f71896e340c40825 Referenced In Project/Scope: java-sec-code:runtime gson-2.8.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
File Path: /home/khannasa/.m2/repository/com/google/guava/guava/23.0/guava-23.0.jar MD5: 7d7838b57e04ae0164714c56ac9e20d9 SHA1: c947004bb13d18182be60077ade044099e4f26f1 SHA256:7baa80df284117e5b945b19b98d367a85ea7b7801bd358ff657946c3bd1b6596 Referenced In Project/Scope: java-sec-code:compile guava-23.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
CWE-552 Files or Directories Accessible to External Parties
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
CWE-770 Allocation of Resources Without Limits or Throttling
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
CWE-732 Incorrect Permission Assignment for Critical Resource
File Path: /home/khannasa/.m2/repository/com/google/inject/guice/4.0/guice-4.0.jar MD5: 969e114e22733923ba147331dd779ed5 SHA1: 0f990a43d3725781b6db7cd0acf0a8b62dfd1649 SHA256:b378ffc35e7f7125b3c5f3a461d4591ae1685e3c781392f0c854ed7b7581d6d2 Referenced In Project/Scope: java-sec-code:runtime guice-4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/com/google/inject/extensions/guice-assistedinject/4.0/guice-assistedinject-4.0.jar MD5: 9729ad492291ab967c46e96c75cf5422 SHA1: 8fa6431da1a2187817e3e52e967535899e2e46ca SHA256:ed44e4d809e6b3bc41ccd6e8b5acf43fb517234f4ac4c1125d7a82c44826f147 Referenced In Project/Scope: java-sec-code:runtime guice-assistedinject-4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/com/google/inject/extensions/guice-grapher/4.0/guice-grapher-4.0.jar MD5: 0bb01cefc93967ca294d832de223a2a5 SHA1: 4e611ae9b12bfc4ddd430a58c65ba1c4328eeaf9 SHA256:83bcdc6a0c9458ebe7c4e294561ebf49f1ea46bde4462a5e353e874745e50851 Referenced In Project/Scope: java-sec-code:runtime guice-grapher-4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/com/google/inject/extensions/guice-multibindings/4.0/guice-multibindings-4.0.jar MD5: c11b429d899c3407c5b77fb727bb05d5 SHA1: f4509545b4470bbcc865aa500ad6fef2e97d28bf SHA256:79d1d122ce059ed2c55d5acfd77eb31e3891f6a4aa997257ec0e7aec3d10f078 Referenced In Project/Scope: java-sec-code:runtime guice-multibindings-4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
This is the core API of hamcrest matcher framework to be used by third-party framework providers. This includes the a foundation set of matcher implementations for common operations.
File Path: /home/khannasa/.m2/repository/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar MD5: 6393363b47ddcbba82321110c3e07519 SHA1: 42a25dc3219429f0e5d060061f71acb49bf010a0 SHA256:66fdef91e9739348df7a096aa384a5685f4e875584cce89386a7a47251c4d8e9 Referenced In Project/Scope: java-sec-code:compile hamcrest-core-1.3.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/junit/junit@4.12
File Path: /home/khannasa/.m2/repository/org/hibernate/hibernate-validator/5.3.4.Final/hibernate-validator-5.3.4.Final.jar MD5: 540c4f2374a74674f00e2f2691bb2cce SHA1: 2f6c8c0b646afe18e3ad205726729d3c4a85fe2e SHA256:b87d88d4faee39fb7aad20715d79b49c07c2b915df05faccb002bfcf0cb1f0e5 Referenced In Project/Scope: java-sec-code:compile hibernate-validator-5.3.4.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
In Hibernate Validator 5.2.x before 5.2.5 final, 5.3.x, and 5.4.x, it was found that when the security manager's reflective permissions, which allows it to access the private members of the class, are granted to Hibernate Validator, a potential privilege escalation can occur. By allowing the calling code to access those private members without the permission an attacker may be able to validate an invalid instance and access the private member value via ConstraintViolation#getInvalidValue().
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
File Path: /home/khannasa/.m2/repository/org/apache/httpcomponents/httpasyncclient/4.1.4/httpasyncclient-4.1.4.jar MD5: f29a16f1c28f5b3dd511cbd16d7fa422 SHA1: f3a3240681faae3fa46b573a4c7e50cec9db0d86 SHA256:50e981a8e567a16ebdad104605b156540a863459fa127b8ba647f310dfc83ef8 Referenced In Project/Scope: java-sec-code:compile httpasyncclient-4.1.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
File Path: /home/khannasa/.m2/repository/org/apache/httpcomponents/httpclient/4.5.12/httpclient-4.5.12.jar MD5: 72002652711fe0fa3218d2bf20f47409 SHA1: 4023a2a80b64c25926911faf350b50cd2a29220f SHA256:bc5f065aba5dd815ee559dd24d9bcb797fb102ff9cfa036f5091ebc529bd3b93 Referenced In Project/Scope: java-sec-code:compile httpclient-4.5.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
File Path: /home/khannasa/.m2/repository/org/apache/httpcomponents/httpcore/4.4.6/httpcore-4.4.6.jar MD5: a9fbd503e0802507efeeaffb56bbdf52 SHA1: e3fd8ced1f52c7574af952e2e6da0df8df08eb82 SHA256:d7f853dee87680b07293d30855b39b9eb56c1297bd16ff1cd6f19ddb8fa745fb Referenced In Project/Scope: java-sec-code:compile httpcore-4.4.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.httpcomponents/httpclient@4.5.12
File Path: /home/khannasa/.m2/repository/org/apache/httpcomponents/httpcore-nio/4.4.10/httpcore-nio-4.4.10.jar MD5: b8ddfe970fc30e47d367b1bbded52317 SHA1: 0486f90c2af9bb81c51e8fb905647267053d5441 SHA256:debee7e9572c02a16ce0caa4f565a9eceb1290d33cd7a1e3297087bd467daff4 Referenced In Project/Scope: java-sec-code:compile httpcore-nio-4.4.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.httpcomponents/httpasyncclient@4.1.4
File Path: /home/khannasa/.m2/repository/cn/hutool/hutool-all/5.8.10/hutool-all-5.8.10.jar MD5: 469eb4cd8ae894d92e8c538152a3de9d SHA1: 0d6ff30dc7c2389edc8c7e429a1174a7f574eb4f SHA256:1960ee1120a2c28a125c32c7c2300a1e5223ac2fc5cbbae1040beccf49d881d2 Referenced In Project/Scope: java-sec-code:compile hutool-all-5.8.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
A vulnerability classified as problematic was found in Dromara HuTool up to 5.8.10. This vulnerability affects unknown code of the file cn.hutool.core.util.ZipUtil.java. The manipulation leads to resource consumption. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.8.11 is able to address this issue. It is recommended to upgrade the affected component. VDB-215974 is the identifier assigned to this vulnerability.
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
A stack overflow in the org.json.JSONTokener.nextValue::JSONTokener.java component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
Hutool v5.8.17 and below was discovered to contain an information disclosure vulnerability via the File.createTempFile() function at /core/io/FileUtil.java.
CWE-732 Incorrect Permission Assignment for Critical Resource
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/hystrix/hystrix-core/1.5.5/hystrix-core-1.5.5.jar MD5: 3f1c2759c128d5ec79cc05c55ae6de5e SHA1: 931fbad1ff4d0339983bfc7f6447dfac3c04650d SHA256:3256a1f11684b78a2fde8fce183642cfee23983df5f816716ff79395902ffba2 Referenced In Project/Scope: java-sec-code:runtime hystrix-core-1.5.5.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/com/ibm/icu/icu4j/4.6/icu4j-4.6.jar MD5: 83407cb94fdfe2294cf9408279427b4a SHA1: 935544e98e498d95ed0f41ca1eef946780f2dbc0 SHA256:b7efe223de080eb29fd9f341777cd85bfa4c770469a7fea9b0c2d27108893673 Referenced In Project/Scope: java-sec-code:compile icu4j-4.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.monitorjbl/xlsx-streamer@2.0.0
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
icu4j
High
Vendor
file (hint)
name
icu-project
High
Vendor
file (hint)
name
unicode
High
Vendor
jar
package name
ibm
Highest
Vendor
jar
package name
icu
Highest
Vendor
Manifest
bundle-copyright
Copyright 2000-2010, International Business Machines Corporation and others. All Rights Reserved.
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Vendor
Manifest
bundle-symbolicname
com.ibm.icu
Medium
Vendor
Manifest
Implementation-Vendor
IBM Corporation
High
Vendor
Manifest
Implementation-Vendor-Id
com.ibm
Medium
Vendor
Manifest
specification-vendor
icu-project.org
Low
Vendor
pom
artifactid
icu4j
Highest
Vendor
pom
artifactid
icu4j
Low
Vendor
pom
developer id
deborah
Medium
Vendor
pom
developer id
doug
Medium
Vendor
pom
developer id
emmons
Medium
Vendor
pom
developer id
mark
Medium
Vendor
pom
developer id
markus
Medium
Vendor
pom
developer id
srl
Medium
Vendor
pom
developer id
yoshito
Medium
Vendor
pom
developer name
Deborah Goldsmith
Medium
Vendor
pom
developer name
Doug Felt
Medium
Vendor
pom
developer name
John Emmons
Medium
Vendor
pom
developer name
Mark Davis
Medium
Vendor
pom
developer name
Markus Scherer
Medium
Vendor
pom
developer name
Steven Loomis
Medium
Vendor
pom
developer name
Yoshito Umaoka
Medium
Vendor
pom
developer org
Apple
Medium
Vendor
pom
developer org
Google
Medium
Vendor
pom
developer org
IBM Corporation
Medium
Vendor
pom
groupid
com.ibm.icu
Highest
Vendor
pom
name
ICU4J
High
Vendor
pom
url
http://icu-project.org/
Highest
Vendor
pom (hint)
artifactid
icu-project
Highest
Vendor
pom (hint)
artifactid
icu-project
Low
Vendor
pom (hint)
artifactid
unicode
Highest
Vendor
pom (hint)
artifactid
unicode
Low
Vendor
pom (hint)
name
icu-project
High
Vendor
pom (hint)
name
unicode
High
Product
file
name
icu4j
High
Product
hint analyzer
product
international_components_for_unicode
Highest
Product
jar
package name
ibm
Highest
Product
jar
package name
icu
Highest
Product
Manifest
bundle-copyright
Copyright 2000-2010, International Business Machines Corporation and others. All Rights Reserved.
A set of annotations that provide additional information to the J2ObjC
translator to modify the result of translation.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/google/j2objc/j2objc-annotations/1.1/j2objc-annotations-1.1.jar MD5: 49ae3204bb0bb9b2ac77062641f4a6d7 SHA1: ed28ded51a8b1c6b112568def5f4b455e6809019 SHA256:2994a7eb78f2710bd3d3bfb639b2c94e219cedac0d4d084d516e78c16dddecf6 Referenced In Project/Scope: java-sec-code:compile j2objc-annotations-1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.guava/guava@23.0
File Path: /home/khannasa/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.8.0/jackson-annotations-2.8.0.jar MD5: 288e6537849f0c63e76409b515c4fbe4 SHA1: 45b426f7796b741035581a176744d91090e2e6fb SHA256:e61b7343aceeb6ecda291d4ef133cd3e765f178c631c357ffd081abab7f15db8 Referenced In Project/Scope: java-sec-code:compile jackson-annotations-2.8.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
File Path: /home/khannasa/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.8.6/jackson-core-2.8.6.jar MD5: fc62c06dbb91d1c9130c405edaa35a88 SHA1: 2ef7b1cc34de149600f5e75bc2d5bf40de894e60 SHA256:10a8d607dc66aadee9ef24e8b3d83f04b6c0e033926558cc64e408bcbda0ca9f Referenced In Project/Scope: java-sec-code:compile jackson-core-2.8.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
CWE-770 Allocation of Resources Without Limits or Throttling
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
File Path: /home/khannasa/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.6/jackson-databind-2.8.6.jar MD5: b9bcc79b8b3883f627045b2da535e580 SHA1: c43de61f74ecc61322ef8f402837ba65b0aa2bf4 SHA256:922413ca2ff5a8f1f86a2eaae8ff02219322ec6ff00d212e7973df8aac4bbaa3 Referenced In Project/Scope: java-sec-code:compile jackson-databind-2.8.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE'), CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as `enableDefaultTyping()` or when @JsonTypeInfo is using `Id.CLASS` or `Id.MINIMAL_CLASS` or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
CWE-502 Deserialization of Untrusted Data, CWE-184 Incomplete Blacklist
A deserialization flaw was discovered in jackson-databind through 2.9.10.4. It could allow an unauthenticated user to perform code execution via ignite-jta or quartz-core: org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup, org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory, and org.quartz.utils.JNDIConnectionProvider.
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).
FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker.
CWE-770 Allocation of Resources Without Limits or Throttling
CUP Parser Generator Copyright Notice, License, and Disclaimer: http://www.cs.princeton.edu/~appel/modern/java/CUP/#LICENSE
File Path: /home/khannasa/.m2/repository/edu/princeton/cup/java-cup/10k/java-cup-10k.jar MD5: f3bdd2924f8350a471179b20646a1ffe SHA1: 88eadc5347b2a22c9c87a04687f0aabaeac01c0b SHA256:15894fad0a81611e351b5200bbc3bd21359fc6aed53af54a48998390e4b2700d Referenced In Project/Scope: java-sec-code:compile java-cup-10k.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.monitorjbl/xlsx-streamer@2.0.0
The MIT License (MIT): https://raw.githubusercontent.com/auth0/java-jwt/master/LICENSE
File Path: /home/khannasa/.m2/repository/com/auth0/java-jwt/4.0.0/java-jwt-4.0.0.jar MD5: 0d85b5ebb39b4ee6dd7eb96bebbeb4d3 SHA1: b73d56c5efa1b51c7e5f99a4f724f98717c02689 SHA256:8c4684b604a5afc03deef480008e10f380437fc124540bda3f8b041d1124128e Referenced In Project/Scope: java-sec-code:compile java-jwt-4.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Java UUID Generator (JUG) is a Java library for generating
Universally Unique IDentifiers, UUIDs (see http://en.wikipedia.org/wiki/UUID).
It can be used either as a component in a bigger application, or as a standalone command line tool.
JUG generates UUIDs according to the IETF UUID draft specification.
JUG supports all 3 official UUID generation methods.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/fasterxml/uuid/java-uuid-generator/3.1.4/java-uuid-generator-3.1.4.jar MD5: d33c23cd9ef69038136769e77973bb2b SHA1: ae83b2b74ee694812130dc1b3eec17df04498f3a SHA256:e44e8315e7c34e86d566cb3d61a9d697ebe274a35dc83e569050967519c38d77 Referenced In Project/Scope: java-sec-code:compile java-uuid-generator-3.1.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
File Path: /home/khannasa/.m2/repository/org/javassist/javassist/3.27.0-GA/javassist-3.27.0-GA.jar MD5: 05ea852668c9e38294d1bb823af95a70 SHA1: f63e6aa899e15eca8fdaa402a79af4c417252213 SHA256:0730bdb1547a5a3f458d60400d804078d80f329c5b5dbc2498a4e220de8f7013 Referenced In Project/Scope: java-sec-code:compile javassist-3.27.0-GA.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar MD5: 289075e48b909e9e74e6c915b3631d2e SHA1: 6975da39a7040257bd51d21a231b76c915872d38 SHA256:91c77044a50c481636c32d916fd89c9118a72195390452c81065080f957de7ff Referenced In Project/Scope: java-sec-code:runtime javax.inject-1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/jaxen/jaxen/1.1.6/jaxen-1.1.6.jar MD5: a140517286b56eea981e188dcc3a13f6 SHA1: 3f8c36d9a0578e8e98f030c662b69888b1430ac0 SHA256:5ac9c74bbb3964b34a886ba6b1b6c0b0dc3ebeebc1dc4a44942a76634490b3eb Referenced In Project/Scope: java-sec-code:compile jaxen-1.1.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.dom4j/dom4j@2.1.0
Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/jboss/logging/jboss-logging/3.3.0.Final/jboss-logging-3.3.0.Final.jar MD5: bc11af4b8ce7138cdc79b7ba8561638c SHA1: 3616bb87707910296e2c195dc016287080bba5af SHA256:e0e0595e7f70c464609095aef9e47a8484e05f2f621c0aa5081c18e3db2d498c Referenced In Project/Scope: java-sec-code:compile jboss-logging-3.3.0.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
IBM Data Server Driver for JDBC and SQLJ is a pure-Java driver (Type 4) that supports the JDBC 4 specification. You can use this JDBC driver for Java applications that access the Db2® LUW database server.
License:
International Program License Agreement (IPLA): https://www.ibm.com/support/customer/csol/terms/?ref=L-KHAI-CASRX7-01-10-2022-zz-en
File Path: /home/khannasa/.m2/repository/com/ibm/db2/jcc/11.5.8.0/jcc-11.5.8.0.jar MD5: 095ddbc8f893722ccab9b968bd2de16a SHA1: b1973ad5dd0cb6999454accf4dd08b03119cfa68 SHA256:1c3b385b471a8c9cdb9247dfe18830779b2570bed836db59b512e6caa15eda26 Referenced In Project/Scope: java-sec-code:compile jcc-11.5.8.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
File Path: /home/khannasa/.m2/repository/org/slf4j/jcl-over-slf4j/1.7.22/jcl-over-slf4j-1.7.22.jar MD5: 87f0c69f2d86475c9dc8cfbde270fa4e SHA1: 86ceac14535af5a42c8fb0d06d79b925dd3cb263 SHA256:e1ab57ae2e46a4a0dcbbd15b329187600b76ce54882834b4681b24f0c083cee0 Referenced In Project/Scope: java-sec-code:compile jcl-over-slf4j-1.7.22.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.data/spring-data-commons@1.13.11.RELEASE
A complete, Java-based solution for accessing, manipulating,
and outputting XML data
License:
Similar to Apache License but with the acknowledgment clause removed: https://raw.github.com/hunterhacker/jdom/master/LICENSE.txt
File Path: /home/khannasa/.m2/repository/org/jdom/jdom2/2.0.6/jdom2-2.0.6.jar MD5: 86a30c9b1ddc08ca155747890db423b7 SHA1: 6f14738ec2e9dd0011e343717fa624a10f8aab64 SHA256:1345f11ba606d15603d6740551a8c21947c0215640770ec67271fe78bea97cf5 Referenced In Project/Scope: java-sec-code:compile jdom2-2.0.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
File Path: /home/khannasa/.m2/repository/com/sun/jersey/jersey-core/1.19.1/jersey-core-1.19.1.jar MD5: 577161779fabb561d73388d1ffc46b1f SHA1: 04282d106f2acd5051bd9bc2935ed9a2920c9385 SHA256:86c3b0f6b933478dfdd2486f047861dd2f68502e05e3c76c7dfa3968ea2b5532 Referenced In Project/Scope: java-sec-code:runtime jersey-core-1.19.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/khannasa/.m2/repository/org/codehaus/jettison/jettison/1.3.7/jettison-1.3.7.jar MD5: c1ce879e927ca435da0fd2fd6c8a6b60 SHA1: 7d36a59a0577f11b12088b9e215d6860345b9e1d SHA256:b39e77d92f5a682c639c8962980499e6be34b5c9fda7ad4dba3b5fd9e99b5070 Referenced In Project/Scope: java-sec-code:runtime jettison-1.3.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by Out of memory. This effect may support a denial of service attack.
Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.
An infinite recursion is triggered in Jettison when constructing a JSONArray from a Collection that contains a self-reference in one of its elements. This leads to a StackOverflowError exception being thrown.
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/khannasa/.m2/repository/io/jsonwebtoken/jjwt/0.9.1/jjwt-0.9.1.jar MD5: 32b17377c70abef64a8b8203d2520932 SHA1: 54d2abfc3e63a28824d35bf600d6a5d627da681a SHA256:56e254d6a8d2306dc93e9ae2d81bf841481637f98b84847470c06cf71160d143 Referenced In Project/Scope: java-sec-code:compile jjwt-0.9.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
File Path: /home/khannasa/.m2/repository/joda-time/joda-time/2.9.7/joda-time-2.9.7.jar MD5: 57ab2188241bd18a7392bfaf61ba33cd SHA1: 6eb2e87ddb09e944bb88f06f19ba0638d4607ffd SHA256:2bcac56802ec8d6f16941ef8a8d5fee4032902ba9937549be220f0a06eb9f503 Referenced In Project/Scope: java-sec-code:runtime joda-time-2.9.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/org/jolokia/jolokia-core/1.6.0/jolokia-core-1.6.0.jar MD5: 5f7ce4a39dc7622dbe97b4e285033ff7 SHA1: c0d928201b20202826dd02762fea8ae1dc1634b1 SHA256:a66c9d507a0997f4f9d31d5af5e640bc31099aa8278ac78e94e784797e1db94d Referenced In Project/Scope: java-sec-code:compile jolokia-core-1.6.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
A flaw was found in Jolokia versions from 1.2 to before 1.6.1. Affected versions are vulnerable to a system-wide CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. This could result in a Remote Code Execution attack.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/jayway/jsonpath/json-path/2.2.0/json-path-2.2.0.jar MD5: 98ec1b51b19c21a32845ba3498df6629 SHA1: 22290d17944bd239fabf5ac69005a60a7ecbbbcb SHA256:f74833d885773a0a3a937ebdb632ca2ff6d95b52cf7f5725de6dd688844207cd Referenced In Project/Scope: java-sec-code:compile json-path-2.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
CWE-770 Allocation of Resources Without Limits or Throttling
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/googlecode/json-simple/json-simple/1.1.1/json-simple-1.1.1.jar MD5: 5cc2c478d73e8454b4c369cee66c5bc7 SHA1: c9ad4a0850ab676c5c64461a05ca524cdfff59f1 SHA256:4e69696892b88b41c55d49ab2fdcc21eead92bf54acc588c0050596c3b75199c Referenced In Project/Scope: java-sec-code:compile json-simple-1.1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.jolokia/jolokia-core@1.6.0
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/net/minidev/json-smart/2.2.1/json-smart-2.2.1.jar MD5: 4c82c537eb0ba92adad494283711cc11 SHA1: 5b9e5df7a62d1279b70dc882b041d249c4f0b002 SHA256:871ff1fca0709fbf924a86704f1c7070e1ee774881c76feb1ba781351efe4693 Referenced In Project/Scope: java-sec-code:compile json-smart-2.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.jayway.jsonpath/json-path@2.2.0
A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4 which causes a denial of service (DOS) via a crafted web request.
[Json-smart](https://netplex.github.io/json-smart/) is a performance focused, JSON processor lib.
When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.
It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.
An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
CWE-754 Improper Check for Unusual or Exceptional Conditions
jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.
License:
The MIT License: https://jsoup.org/license
File Path: /home/khannasa/.m2/repository/org/jsoup/jsoup/1.10.2/jsoup-1.10.2.jar MD5: 36145fee38e79b81035787f1be296a52 SHA1: 33ee82e324f4b1e40167f3dc5e01234a1c5cab61 SHA256:6ebe6abd7775c10a49407ae22db45c840cd2cdaf715866a5b0b5af70941c3f4a Referenced In Project/Scope: java-sec-code:compile jsoup-1.10.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including `javascript:` URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default `SafeList.preserveRelativeLinks` option is enabled, HTML including `javascript:` URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable `SafeList.preserveRelativeLinks`, which will rewrite input URLs as absolute URLs - ensure an appropriate [Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.jar MD5: 1d5a772e400b04bb67a7ef4a0e0996d8 SHA1: 40719ea6961c0cb6afaeb6a921eaa1f6afd4cfdf SHA256:905721a0eea90a81534abb7ee6ef4ea2e5e645fa1def0a5cd88402df1b46c9ed Referenced In Project/Scope: java-sec-code:compile jsr305-1.3.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.google.guava/guava@23.0
File Path: /home/khannasa/.m2/repository/javax/ws/rs/jsr311-api/1.1.1/jsr311-api-1.1.1.jar MD5: c9803468299ec255c047a280ddec510f SHA1: 59033da2a1afd56af1ac576750a8d0b1830d59e6 SHA256:ab1534b73b5fa055808e6598a5e73b599ccda28c3159c3c0908977809422ee4a Referenced In Project/Scope: java-sec-code:runtime jsr311-api-1.1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/org/slf4j/jul-to-slf4j/1.7.22/jul-to-slf4j-1.7.22.jar MD5: df613082ad3cd4b37035401440fc5fbc SHA1: b0429e950b3d2bc2c39c1bacafac753edbe3781c SHA256:4d372bdee468471321d10476ea40e43dd56f07cccb4d899dba322162b63c42c1 Referenced In Project/Scope: java-sec-code:compile jul-to-slf4j-1.7.22.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
License:
Eclipse Public License 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: /home/khannasa/.m2/repository/junit/junit/4.12/junit-4.12.jar MD5: 5b38c40c97fbd0adee29f91e60405584 SHA1: 2973d150c0dc1fefe998f834810d68f278ea58ec SHA256:59721f0805e223d84b90677887d9ff567dc534d7c502ca903c0c2b17f05c116a Referenced In Project/Scope: java-sec-code:compile junit-4.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
CWE-732 Incorrect Permission Assignment for Critical Resource
File Path: /home/khannasa/.m2/repository/org/apache/logging/log4j/log4j-api/2.9.1/log4j-api-2.9.1.jar MD5: 20f0b4e1a16bd2030f0acc2b277cb16f SHA1: 7a2999229464e7a324aa503c0a52ec0f05efe7bd SHA256:cad088ba9c43e1a13bba0a3d44bec1ef42bd22fdf12dad2bd73a22666bfbd009 Referenced In Project/Scope: java-sec-code:compile log4j-api-2.9.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
File Path: /home/khannasa/.m2/repository/org/apache/logging/log4j/log4j-core/2.9.1/log4j-core-2.9.1.jar MD5: 942f429eacb8015e18d8f59996cfbee6 SHA1: c041978c686866ee8534f538c6220238db3bb6be SHA256:dc435b35b5923eb05afe30a24f04e9a0a5372da8e76f986efe8508b96101c4ff Referenced In Project/Scope: java-sec-code:compile log4j-core-2.9.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Description: Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.
Required Action: For all affected software assets for which updates exist, the only acceptable remediation actions are: 1) Apply updates; OR 2) remove affected assets from agency networks. Temporary mitigations using one of the measures provided at https://www.cisa.gov/uscert/ed-22-02-apache-log4j-recommended-mitigation-measures are only acceptable until updates are available.
Due Date: 2021-12-24
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Name: Apache Log4j2 Deserialization of Untrusted Data Vulnerability
Date Added: 2023-05-01
Description: Apache Log4j2 contains a deserialization of untrusted data vulnerability due to the incomplete fix of CVE-2021-44228, where the Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.
Required Action: Apply updates per vendor instructions.
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
File Path: /home/khannasa/.m2/repository/org/slf4j/log4j-over-slf4j/1.7.22/log4j-over-slf4j-1.7.22.jar MD5: d00b5cae2cdecebcc051d748f7a13ba0 SHA1: a527c37e9ca6c3d19ba298edd4aa344ca751a203 SHA256:219c52f9b4a0b2525c83b4f47cf7535a489f8d5a3a66c359b0916a2e110ee43c Referenced In Project/Scope: java-sec-code:compile log4j-over-slf4j-1.7.22.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
File Path: /home/khannasa/.m2/repository/ch/qos/logback/logback-core/1.1.9/logback-core-1.1.9.jar MD5: 01b122c501f7cd81d9bbefa22d28bc53 SHA1: e05d0cb67220937c32d7b4e5a47f967605376f63 SHA256:19346df199c443f56b4880d386016295d628293643152f5f4ac6287a341ada74 Referenced In Project/Scope: java-sec-code:compile logback-core-1.1.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Spice up your java: Automatic Resource Management, automatic generation of getters, setters, equals, hashCode and toString, and more!
License:
The MIT License: https://projectlombok.org/LICENSE
File Path: /home/khannasa/.m2/repository/org/projectlombok/lombok/1.18.20/lombok-1.18.20.jar MD5: e863b4be4fe03d2da763679ba1a9079b SHA1: 18bcea7d5df4d49227b4a0743a536208ce4825bb SHA256:ce947be6c2fbe759fbbe8ef3b42b6825f814c98c8853f1013f2d9630cedf74b0 Referenced In Project/Scope: java-sec-code:provided lombok-1.18.20.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
File Path: /home/khannasa/.m2/repository/org/mapstruct/mapstruct/1.2.0.Final/mapstruct-1.2.0.Final.jar MD5: badce92967671a310b5356f009ea57b2 SHA1: 8609d6eb044e9f6c73cb24c8f2f4ed5c72a249c7 SHA256:a3d2414cb7adbd5ae9b29bff5197a42d6e48bdf68d9798d437f48e798abd2309 Referenced In Project/Scope: java-sec-code:compile mapstruct-1.2.0.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.springfox/springfox-swagger2@2.9.2
The MyBatis SQL mapper framework makes it easier to use a relational database with object-oriented
applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or
annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping
tools.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/mybatis/mybatis/3.4.6/mybatis-3.4.6.jar MD5: be0cd2a55a854f3abf2a2461371b9c66 SHA1: a77a546f679533837f6c6a75c034b669f3ce6a2f SHA256:c3a395969ff96b8f4ba074e8e6e49ef0aad06a11b919764e6bc14dbe3b967ded Referenced In Project/Scope: java-sec-code:compile mybatis-3.4.6.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.mybatis.spring.boot/mybatis-spring-boot-starter@1.3.2
An easy-to-use Spring bridge for MyBatis sql mapping framework.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/mybatis/mybatis-spring/1.3.2/mybatis-spring-1.3.2.jar MD5: a37ab7386e6665bf2169185a16c41f71 SHA1: fd9961cd026b1f6998be27c516973dd5366b14ec SHA256:d97da1f5b3d7f7464890986ee126b02bf37f7729e63cc978aa39cf778e063e1c Referenced In Project/Scope: java-sec-code:compile mybatis-spring-1.3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.mybatis.spring.boot/mybatis-spring-boot-starter@1.3.2
File Path: /home/khannasa/.m2/repository/org/mybatis/spring/boot/mybatis-spring-boot-autoconfigure/1.3.2/mybatis-spring-boot-autoconfigure-1.3.2.jar MD5: cd7f70c1b5eb8cc16d1f50a46bd7318d SHA1: cada00d6bb4e7b8a733b3cd376ad69a307008685 SHA256:8bb6bc8e875df13ba80edc9fce36cb273cf251cbad4afd0d47d7e1b7f5703990 Referenced In Project/Scope: java-sec-code:compile mybatis-spring-boot-autoconfigure-1.3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.mybatis.spring.boot/mybatis-spring-boot-starter@1.3.2
File Path: /home/khannasa/.m2/repository/org/mybatis/spring/boot/mybatis-spring-boot-starter/1.3.2/mybatis-spring-boot-starter-1.3.2.jar MD5: ea2db333f092392fd6caff94953eedff SHA1: cb6de087ae0d34b23ad0671aacdbcc433d84875f SHA256:6d25422f21673b08ad795a1ac488352a2e85c367de9b53542dadab2d2489d1e6 Referenced In Project/Scope: java-sec-code:compile mybatis-spring-boot-starter-1.3.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
The GNU General Public License, v2 with FOSS exception
File Path: /home/khannasa/.m2/repository/mysql/mysql-connector-java/8.0.12/mysql-connector-java-8.0.12.jar MD5: 88766727e5e434ceb94315b0dae0e4b4 SHA1: 08e201602cc1ddd145c4c74e67d4002d3d4b1796 SHA256:5b09edb8700512a526eb109c308e9e752d9eb3d915f6b1d33bdbdb9707ed8799 Referenced In Project/Scope: java-sec-code:compile mysql-connector-java-8.0.12.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
mysql-connector-java
High
Vendor
hint analyzer
vendor
oracle
Highest
Vendor
hint analyzer (hint)
vendor
sun
Highest
Vendor
jar
package name
cj
Highest
Vendor
jar
package name
driver
Highest
Vendor
jar
package name
jdbc
Highest
Vendor
jar
package name
mysql
Highest
Vendor
jar
package name
type
Highest
Vendor
Manifest
bundle-symbolicname
com.mysql.cj
Medium
Vendor
Manifest
Implementation-Vendor
Oracle
High
Vendor
Manifest
Implementation-Vendor-Id
com.mysql
Medium
Vendor
Manifest
specification-vendor
Oracle Corporation
Low
Vendor
Manifest (hint)
Implementation-Vendor
sun
High
Vendor
pom
artifactid
mysql-connector-java
Highest
Vendor
pom
artifactid
mysql-connector-java
Low
Vendor
pom
groupid
mysql
Highest
Vendor
pom
name
MySQL Connector/J
High
Vendor
pom
organization name
Oracle Corporation
High
Vendor
pom
organization url
http://www.oracle.com
Medium
Vendor
pom
url
http://dev.mysql.com/doc/connector-j/en/
Highest
Product
file
name
mysql-connector-java
High
Product
hint analyzer
product
mysql_connector/j
Highest
Product
hint analyzer
product
mysql_connector_j
Highest
Product
hint analyzer
product
mysql_connectors
Highest
Product
jar
package name
cj
Highest
Product
jar
package name
driver
Highest
Product
jar
package name
jdbc
Highest
Product
jar
package name
mysql
Highest
Product
jar
package name
type
Highest
Product
jar
package name
xdevapi
Highest
Product
Manifest
Bundle-Name
Oracle Corporation's JDBC and XDevAPI Driver for MySQL
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/netflix-commons/netflix-commons-util/0.1.1/netflix-commons-util-0.1.1.jar MD5: 39797b7f8b2dfb710f79f21be1b68e3f SHA1: 39e67061780476f207b31465baaed84a91ff659f SHA256:3b5336df78667d56d84e8fef0910188ede7a08aa81788e05378266a30477d28b Referenced In Project/Scope: java-sec-code:runtime netflix-commons-util-0.1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/netflix-commons/netflix-eventbus/0.3.0/netflix-eventbus-0.3.0.jar MD5: 8ad05394a13f658a67d1e4cbf0359402 SHA1: 3f864adbe81f0849729fcbba3fe693c32be739ea SHA256:387bce0906f22c285ed96bcc520a7581d6abbc418b6c3c1e45a4530eb97d94b1 Referenced In Project/Scope: java-sec-code:runtime netflix-eventbus-0.3.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/netflix-commons/netflix-infix/0.3.0/netflix-infix-0.3.0.jar MD5: 3410072887ca26fc0b7e71a7e91f8e2b SHA1: acc65969f7367ddd2f1265e0cd7330509ed530dc SHA256:7dec45215c262c4f0a42c1f3adb8613788cf43c6ed21274e15c73ea5500d2597 Referenced In Project/Scope: java-sec-code:runtime netflix-infix-0.3.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/netflix-commons/netflix-statistics/0.1.1/netflix-statistics-0.1.1.jar MD5: 739701e8e7cd9a1a37c6e2b215b6e13a SHA1: 12f6e48253f9cafa0e24d7d232ff504c52143212 SHA256:573c6d5ad04177db9f9ea4121c94cf85ea7f85d4800eddac2cb140e9cb544e2d Referenced In Project/Scope: java-sec-code:runtime netflix-statistics-0.1.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
File Path: /home/khannasa/.m2/repository/io/netty/netty-codec/4.0.27.Final/netty-codec-4.0.27.Final.jar MD5: 95596580c1b6e10be356a52ddd022098 SHA1: 08ed3790b480d4370d22ad1b74a79a54663619b3 SHA256:452715cd6024b6a1357d608b41ed24d5a40182e52bb2cebf8c6e8696ddf60198 Referenced In Project/Scope: java-sec-code:runtime netty-codec-4.0.27.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
netty-codec - Denial of Service (DoS) via Memory Exhaustion [CVE-2020-11612]
The product allocates memory based on an untrusted size value, but it does not validate or incorrectly validates the size, allowing arbitrary amounts of memory to be allocated.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-11612 for details
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
File Path: /home/khannasa/.m2/repository/io/netty/netty-handler/4.0.27.Final/netty-handler-4.0.27.Final.jar MD5: 5fa80364ee1172ef764f1f7bd82f60b7 SHA1: 91d5c8e25150759bdfce680f318e7b3e8a493b1f SHA256:1ac31cdd3a8f2a8eb6f83c17ce8057a18d15505cd6fdc1bd19fcd30a2afa83a6 Referenced In Project/Scope: java-sec-code:runtime netty-handler-4.0.27.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
netty-handler - Improper Certificate Validation
The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
CWE-300 Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
File Path: /home/khannasa/.m2/repository/io/netty/netty-transport/4.0.27.Final/netty-transport-4.0.27.Final.jar MD5: 79b946151ae96948889565acddafe9c7 SHA1: fc1e00d9d2815f74df6af1cf79da65d6b2d6b102 SHA256:afc0e7fa6d998629076e655291612da1882f7226b9d5aa84961c98eb63484d14 Referenced In Project/Scope: java-sec-code:runtime netty-transport-4.0.27.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions
Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
CWE-378 Creation of Temporary File With Insecure Permissions, CWE-379 Creation of Temporary File in Directory with Incorrect Permissions, CWE-668 Exposure of Resource to Wrong Sphere
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/ognl/ognl/3.0.8/ognl-3.0.8.jar MD5: 6f2969f0eb541a6f4ecfa15faa8155d7 SHA1: 37e1aebfde7eb7baebc9ad4f85116ef9009c5fc5 SHA256:97c13090ba9f1b2c34a9548461423e734252dafe0774af55c53d248c736e488c Referenced In Project/Scope: java-sec-code:compile ognl-3.0.8.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@1.5.1.RELEASE
Apache Struts 2.0.0 through 2.3.24.1 does not properly cache method references when used with OGNL before 3.0.12, which allows remote attackers to cause a denial of service (block access to a web site) via unspecified vectors.
File Path: /home/khannasa/.m2/repository/com/squareup/okhttp/okhttp/2.5.0/okhttp-2.5.0.jar MD5: eb8bf45f81bf9f17d1fcfb2eca63aaa6 SHA1: 4de2b4ed3445c37ec1720a7d214712e845a24636 SHA256:1cc716e29539adcda677949508162796daffedb4794cbf947a6f65e696f0381c Referenced In Project/Scope: java-sec-code:compile okhttp-2.5.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
In verifyHostName of OkHostnameVerifier.java, there is a possible way to accept a certificate for the wrong domain due to improperly used crypto. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-8.1 Android-9 Android-10 Android-11Android ID: A-171980069
OkHttp before 2.7.4 and 3.x before 3.1.2 allows man-in-the-middle attackers to bypass certificate pinning by sending a certificate chain with a certificate from a non-pinned trusted CA and the pinned certificate.
A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.
CWE-209 Information Exposure Through an Error Message
File Path: /home/khannasa/.m2/repository/com/squareup/okio/okio/1.6.0/okio-1.6.0.jar MD5: 164d1c28c323cf6e2a917d60374c5718 SHA1: 98476622f10715998eacf9240d6b479f12c66143 SHA256:114bdc1f47338a68bcbc95abf2f5cdc72beeec91812f2fcd7b521c1937876266 Referenced In Project/Scope: java-sec-code:compile okio-1.6.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.squareup.okhttp/okhttp@2.5.0
GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.
CWE-681 Incorrect Conversion between Numeric Types
Eclipse Public License Version 1.0: http://www.eclipse.org/org/documents/epl-v10.php
File Path: /home/khannasa/.m2/repository/com/rackspace/eclipse/webtools/sourceediting/org.eclipse.wst.xml.xpath2.processor/2.1.100/org.eclipse.wst.xml.xpath2.processor-2.1.100.jar MD5: d7265d94a86303f0dd8c31c962c49f4a SHA1: e3a9a2dcbb256530c68ab66e10f41f882c3df086 SHA256:a7a73a0a668d0a9b9effb046d20076e33f18ae4c02d418b56721ef57b216ed79 Referenced In Project/Scope: java-sec-code:compile org.eclipse.wst.xml.xpath2.processor-2.1.100.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.monitorjbl/xlsx-streamer@2.0.0
Apache POI - Java API To Access Microsoft Format Files
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/poi/poi/3.10-FINAL/poi-3.10-FINAL.jar MD5: 8a8f8d9d6ce0cba8ee9fe1403643cd2e SHA1: e22fd3bb6a7152bd7d07c7e8901c2451b601725f SHA256:113d2cbe641bd82b1a990fdf946f416753241a017f89777d92f7136f87e806a5 Referenced In Project/Scope: java-sec-code:compile poi-3.10-FINAL.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
CWE-20 Improper Input Validation, CWE-770 Allocation of Resources Without Limits or Throttling
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Apache POI - Java API To Access Microsoft Format Files
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar MD5: a03b94af357fdc8b0619986188f292bd SHA1: bbe83c739d22eecfacd06d7e0b99ba13277040ed SHA256:70afcf888aee418c52ef3056de9a035eb4163312944370030025bd0be976bd83 Referenced In Project/Scope: java-sec-code:compile poi-ooxml-3.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
In Apache POI up to 4.1.0, when using the tool XSSFExportToXml to convert user-provided Microsoft Excel documents, a specially crafted document can allow an attacker to read files from the local filesystem or from internal network resources via XML External Entity (XXE) Processing.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.
CWE-20 Improper Input Validation, CWE-770 Allocation of Resources Without Limits or Throttling
The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
File Path: /home/khannasa/.m2/repository/org/postgresql/postgresql/42.3.1/postgresql-42.3.1.jar MD5: 30299cd5ee3f86eb748b6cc1157df484 SHA1: 9ca7df660e875b91c78e3d1608d4d7469ad3470c SHA256:8370570857da86eb4a76dd3d8505d34bac0c18186741fa83a6820a10fa441cb4 Referenced In Project/Scope: java-sec-code:compile postgresql-42.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
postgresql
High
Vendor
jar
package name
driver
Highest
Vendor
jar
package name
jdbc
Highest
Vendor
jar
package name
postgresql
Highest
Vendor
Manifest
automatic-module-name
org.postgresql.jdbc
Medium
Vendor
Manifest
bundle-copyright
Copyright (c) 2003-2020, PostgreSQL Global Development Group
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.
In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties
PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
Protocol Buffers are a way of encoding structured data in an efficient yet
extensible format.
License:
New BSD license: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/khannasa/.m2/repository/com/google/protobuf/protobuf-java/2.6.0/protobuf-java-2.6.0.jar MD5: afeba6a0d697cdfd8db8636bd75fc0ee SHA1: 88ba32feefe385d5dc284b71f649201eabd15778 SHA256:5636b013420f19c0a5342dab6de33956e20a40b06681d2cf021266d6ef478c6e Referenced In Project/Scope: java-sec-code:compile protobuf-java-2.6.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/mysql/mysql-connector-java@8.0.12
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/ribbon/ribbon/2.2.0/ribbon-2.2.0.jar MD5: becddabf00c5eebbf4e28a4c8f000eb8 SHA1: 5c906c20896e72c60231b7367249e8d329d7565f SHA256:01de55e90931c5702cb2766909b5dc9ebcd09b617f22862353f5dd025c33986f Referenced In Project/Scope: java-sec-code:compile ribbon-2.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/ribbon/ribbon-core/2.2.0/ribbon-core-2.2.0.jar MD5: 21e9e29b3b55620b857ae66977e25584 SHA1: 6033ba88ac7ce1e76337f66a74121e0b9886391d SHA256:092254a0afa03111a9fc4c02e8c7532a90f8ddf4f3dc3104232aed177f23c07d Referenced In Project/Scope: java-sec-code:compile ribbon-core-2.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/ribbon/ribbon-eureka/2.2.0/ribbon-eureka-2.2.0.jar MD5: 68c6585af5eebd38fbd96ea8d2363387 SHA1: 01c630f487c11725fa4a674126238621a11a991c SHA256:1cf714d65279eec329ab519ea797b6bbb9f65f184e15ca18abf948897b1d9beb Referenced In Project/Scope: java-sec-code:compile ribbon-eureka-2.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/ribbon/ribbon-httpclient/2.2.0/ribbon-httpclient-2.2.0.jar MD5: 9ad4cbd0584e496515f71ebeed0fed7e SHA1: ae3677b0fb963fad3198fe7324030a6f7c8ba6c2 SHA256:72294f7816146c2d8b4ecc7302bbd1fe7cc44eb99e5442634cd613b9a4c8f6e5 Referenced In Project/Scope: java-sec-code:compile ribbon-httpclient-2.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/ribbon/ribbon-loadbalancer/2.2.0/ribbon-loadbalancer-2.2.0.jar MD5: a7ec6a893cdaf79333ee6aee0e6cb6f1 SHA1: 6f96ecf9cfa330403ade3d8db619aa0c500ca13e SHA256:0e363936eff6f23a689db1ed02c77ae318d15a740c19840f90f47219dbe1bac8 Referenced In Project/Scope: java-sec-code:compile ribbon-loadbalancer-2.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/ribbon/ribbon-transport/2.2.0/ribbon-transport-2.2.0.jar MD5: f9566bb374d49c22457e439dabe9b8b6 SHA1: e094ddf98801b54597c7e12365fbf11b948e83db SHA256:f47cded77a4c2c3e5c106b79d681e1d3fa2bb53b586a67fdbf31cea23e54ed0b Referenced In Project/Scope: java-sec-code:runtime ribbon-transport-2.2.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/io/reactivex/rxjava/1.1.10/rxjava-1.1.10.jar MD5: c109c28cda75fab0900dad58e1d82b70 SHA1: 2ac360e8a47601a8dfd044e646f05b99d151f2e0 SHA256:11dbeae923b0ad8524fef398e0fdd25d0188dc76a22022aefc8b0bf209e7880d Referenced In Project/Scope: java-sec-code:compile rxjava-1.1.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/io/reactivex/rxnetty/0.4.9/rxnetty-0.4.9.jar MD5: a25223e23e23cde545387fcb6e8b9018 SHA1: 5aff3c9d6bb9d9066c378bb3d2a4413ed1773bcf SHA256:fe8f9baba840bf1c89e5524ad98a8dbe3e24ef6ec5bfc067766d718904437d0b Referenced In Project/Scope: java-sec-code:runtime rxnetty-0.4.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/io/reactivex/rxnetty-contexts/0.4.9/rxnetty-contexts-0.4.9.jar MD5: a6d0bc0c8e33aded4dee91c3f3f7c561 SHA1: 6efe17a25602a5424c18ab975aa9c28b6d6b7f56 SHA256:019e344cd3d19bc70057a5d53a68fc529f405fa0258cae47facacb083238731b Referenced In Project/Scope: java-sec-code:runtime rxnetty-contexts-0.4.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/io/reactivex/rxnetty-servo/0.4.9/rxnetty-servo-0.4.9.jar MD5: 06654b96f18f8411da0ae2dc592e860a SHA1: b7d6d6e132686c280f16710eaa3e90719f6808f8 SHA256:e61e8889d99d2b0be792c8a07e168e704ae3737a51f84b641cd244bafb1f9d8e Referenced In Project/Scope: java-sec-code:runtime rxnetty-servo-0.4.9.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/servo/servo-core/0.10.1/servo-core-0.10.1.jar MD5: cb0652b12e9866abf97ae0f13d5cf97f SHA1: 7461ed61647f9996c88ad822546ffc7851a45e0e SHA256:1c9eb119ff2b6d0c47283391d3e334fadbb7e90854a6ad5b6991594e3981f5cf Referenced In Project/Scope: java-sec-code:runtime servo-core-0.10.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/com/netflix/servo/servo-internal/0.10.1/servo-internal-0.10.1.jar MD5: 41c4aa1ee210dadc07081e830f1e8fda SHA1: bb6f9cd7b309189bad01b93a806ba9d6cb5d915a SHA256:d21922d1de0ac135d888a6d2016486dd6fe8e9fc4db3cf007bef4f5d3b7873ad Referenced In Project/Scope: java-sec-code:runtime servo-internal-0.10.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/org/slf4j/slf4j-api/1.7.22/slf4j-api-1.7.22.jar MD5: 897d990eb5463fd5288092524c105769 SHA1: a1c83373863cec7ae8d89dc1c5722d8cb6ec0309 SHA256:3a4cd4969015f3beb4b5b4d81dbafc01765fb60b8a439955ca64d8476fef553e Referenced In Project/Scope: java-sec-code:compile slf4j-api-1.7.22.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.monitorjbl/xlsx-streamer@2.0.0
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/yaml/snakeyaml/1.21/snakeyaml-1.21.jar MD5: b16142890b39db3ff828085f56845b51 SHA1: 18775fdda48574784f40b47bf478ab0593f92e4d SHA256:e43cb0683f70804b833dfaa5ac032ff14ba0c758d4a1e9eaeb6640515df83faf Referenced In Project/Scope: java-sec-code:compile snakeyaml-1.21.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
File Path: /home/khannasa/.m2/repository/org/springframework/boot/spring-boot/1.5.1.RELEASE/spring-boot-1.5.1.RELEASE.jar MD5: 32a0a1879b325320685d7093ab0dc4d5 SHA1: 670ebd283098aa2d8a397af84fbe6ea152a4d8fa SHA256:4a76f4196f22f246c1ace959a3f35e3cf8b8f1ad80aff9db0d9d404aa1e0e26e Referenced In Project/Scope: java-sec-code:compile spring-boot-1.5.1.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.
spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')
Apache License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0
File Path: /home/khannasa/.m2/repository/org/springframework/boot/spring-boot-starter-security/2.1.5.RELEASE/spring-boot-starter-security-2.1.5.RELEASE.jar MD5: 52c7d8f07ef625b2e1ac8741329da07b SHA1: 6c4509c39b8c7347e8226905b40071933ecde5e8 SHA256:e33e85beca1f624d3fa4d3ba986fdf4a623b105f5d091034947d101c1771657e Referenced In Project/Scope: java-sec-code:compile spring-boot-starter-security-2.1.5.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.
spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
Starter for building MVC web applications using Thymeleaf views
File Path: /home/khannasa/.m2/repository/org/springframework/boot/spring-boot-starter-thymeleaf/1.5.1.RELEASE/spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar MD5: dfcd870176f1eff2472ed1927b753e87 SHA1: 073ac6e73f4ec4083ba7adccf58e2319a1bbfffe SHA256:13e2688435d8c1e88112f0eef1d5ddeefb5e5c7e62eadc42c6a647a53a621bbf Referenced In Project/Scope: java-sec-code:compile spring-boot-starter-thymeleaf-1.5.1.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.
spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')
Starter for building web, including RESTful, applications using Spring
MVC. Uses Tomcat as the default embedded container
File Path: /home/khannasa/.m2/repository/org/springframework/boot/spring-boot-starter-web/1.5.1.RELEASE/spring-boot-starter-web-1.5.1.RELEASE.jar MD5: 1f1c52c46004d5539ad2824018b2044e SHA1: 8404c45cb53a05edcd0ad8fc57a5fe43462263d8 SHA256:43b492f766a8caea07468f18d1c125b0d6015b793bd25ba16e2d5a56dc06421a Referenced In Project/Scope: java-sec-code:compile spring-boot-starter-web-1.5.1.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Malicious PATCH requests submitted to servers using Spring Data REST versions prior to 2.6.9 (Ingalls SR9), versions prior to 3.0.1 (Kay SR1) and Spring Boot versions prior to 1.5.9, 2.0 M6 can use specially crafted JSON data to run arbitrary Java code.
Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable.
In Spring Boot versions 3.0.0 - 3.0.5, 2.7.0 - 2.7.10, and older unsupported versions, an application that is deployed to Cloud Foundry could be susceptible to a security bypass. Users of affected versions should apply the following mitigation: 3.0.x users should upgrade to 3.0.6+. 2.7.x users should upgrade to 2.7.11+. Users of older, unsupported versions should upgrade to 3.0.6+ or 2.7.11+.
spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer
In Spring Boot versions 3.0.0 - 3.0.6, 2.7.0 - 2.7.11, 2.6.0 - 2.6.14, 2.5.0 - 2.5.14 and older unsupported versions, there is potential for a denial-of-service (DoS) attack if Spring MVC is used together with a reverse proxy cache.
Spring Boot supports an embedded launch script that can be used to easily run the application as a systemd or init.d linux service. The script included with Spring Boot 1.5.9 and earlier and 2.0.0.M1 through 2.0.0.M7 is susceptible to a symlink attack which allows the "run_user" to overwrite and take ownership of any file on the same system. In order to instigate the attack, the application must be installed as a service and the "run_user" requires shell access to the server. Spring Boot application that are not installed as a service, or are not using the embedded launch script are not susceptible.
CWE-59 Improper Link Resolution Before File Access ('Link Following')
File Path: /home/khannasa/.m2/repository/org/springframework/cloud/spring-cloud-commons/1.1.3.RELEASE/spring-cloud-commons-1.1.3.RELEASE.jar MD5: c5de4fd6889d2bfbf5064d464c43eba0 SHA1: fc4099295d2ad19ebd3ac7a28a15184d59678266 SHA256:855ec1fc8b0895aec080b5266b0ad13868920f1918f6a9b45799376760df93bf Referenced In Project/Scope: java-sec-code:compile spring-cloud-commons-1.1.3.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/org/springframework/cloud/spring-cloud-context/1.1.3.RELEASE/spring-cloud-context-1.1.3.RELEASE.jar MD5: f61405eee49644885c283dd1fbc29419 SHA1: ce3bef43b48bd095474aa232c14bcff143a75723 SHA256:26ee691c229db9009f40c0beb451e09e5fd23b26b81474c53350030ddcd82483 Referenced In Project/Scope: java-sec-code:compile spring-cloud-context-1.1.3.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/org/springframework/cloud/spring-cloud-netflix-core/1.2.0.RELEASE/spring-cloud-netflix-core-1.2.0.RELEASE.jar MD5: 37000cfeb6af38da6b6dfc790cacaefe SHA1: 726d74fd9b78fdcdef6f4170867c2ae43c428ebd SHA256:da7aee290e624ec47afcbb9bfc693546a17a6bef9cde3adbf81af7fbc104b7e5 Referenced In Project/Scope: java-sec-code:compile spring-cloud-netflix-core-1.2.0.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
CWE-610 Externally Controlled Reference to a Resource in Another Sphere
Applications using the “Sensitive Headers” functionality in Spring Cloud Netflix Zuul 2.2.6.RELEASE and below may be vulnerable to bypassing the “Sensitive Headers” restriction when executing requests with specially constructed URLs. Applications that use Spring Security's StrictHttpFirewall (enabled by default for all URLs) are not affected by the vulnerability, as they reject requests that allow bypassing.
File Path: /home/khannasa/.m2/repository/org/springframework/cloud/spring-cloud-netflix-eureka-client/1.2.0.RELEASE/spring-cloud-netflix-eureka-client-1.2.0.RELEASE.jar MD5: 739a2fdf71e05250ca5febde591d16af SHA1: bb56ce32fa34d124976bee60d39363dc74e50f07 SHA256:3f2d26ebf5b06a445edfae19325de650d9dec260cbd9646ce6c9c6d27bfd714e Referenced In Project/Scope: java-sec-code:compile spring-cloud-netflix-eureka-client-1.2.0.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
CWE-610 Externally Controlled Reference to a Resource in Another Sphere
File Path: /home/khannasa/.m2/repository/org/springframework/cloud/spring-cloud-starter/1.1.3.RELEASE/spring-cloud-starter-1.1.3.RELEASE.jar MD5: 042910deec71ab4a4a734c9333391642 SHA1: a887cba9075c0eeee380643f87d15df1a4899120 SHA256:6bed61c9ba23d2930f91241b250b16276ab313e3c9ab4492a2cf2a0bf1405693 Referenced In Project/Scope: java-sec-code:compile spring-cloud-starter-1.1.3.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/org/springframework/cloud/spring-cloud-starter-netflix-ribbon/1.4.0.RELEASE/spring-cloud-starter-netflix-ribbon-1.4.0.RELEASE.jar MD5: e9ba870587d8664f1f76cbcbe3de8719 SHA1: cd8fb40e62f8480a5fad90e355a2cb7b3ed382b3 SHA256:67abbdc0b356ec8ef1a00ce8a3d1574dc1ace48349833068939a2273af6f3f8c Referenced In Project/Scope: java-sec-code:compile spring-cloud-starter-netflix-ribbon-1.4.0.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
Spring Cloud Netflix, versions 2.2.x prior to 2.2.4, versions 2.1.x prior to 2.1.6, and older unsupported versions allow applications to use the Hystrix Dashboard proxy.stream endpoint to make requests to any server reachable by the server hosting the dashboard. A malicious user, or attacker, can send a request to other servers that should not be exposed publicly.
CWE-610 Externally Controlled Reference to a Resource in Another Sphere
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/spring-core/4.3.6.RELEASE/spring-core-4.3.6.RELEASE.jar MD5: bcce5a2acc9b2b8b67b94fdae6f63123 SHA1: 690da099c3c2d2536210f0fd06ff3f336de43ad9 SHA256:c451e8417adb2ffb2445636da5e44a2f59307c4100037a1fe387c3fba4f29b52 Referenced In Project/Scope: java-sec-code:compile spring-core-4.3.6.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-web@4.2.12.RELEASE
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
Date Added: 2022-04-04
Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-04-25
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling
File Path: /home/khannasa/.m2/repository/org/springframework/data/spring-data-commons/1.13.11.RELEASE/spring-data-commons-1.13.11.RELEASE.jar MD5: 74a944a79234e4976e2ae3221a1dcbfb SHA1: 481434bd66c1cf6ff72902a89ad778156e924382 SHA256:11a25c4f1efffc8df5a6e2146263e9f93317361e8d9f642e4873590c8d9fe165 Referenced In Project/Scope: java-sec-code:compile spring-data-commons-1.13.11.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/spring-expression/4.3.6.RELEASE/spring-expression-4.3.6.RELEASE.jar MD5: a64298e9039c376a20af757575d790a8 SHA1: 013b53568cfd7b308e70efcbac6cdd0c5d597ba1 SHA256:05d4b82232a83014cb55f92b7bdd3c334ada22695f059eb9d74b988d6e1bf5f0 Referenced In Project/Scope: java-sec-code:compile spring-expression-4.3.6.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-web@4.2.12.RELEASE
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
Date Added: 2022-04-04
Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-04-25
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling
File Path: /home/khannasa/.m2/repository/org/springframework/plugin/spring-plugin-core/1.2.0.RELEASE/spring-plugin-core-1.2.0.RELEASE.jar MD5: 4e6325e5ed2c1aa1949313c184d83640 SHA1: f380e7760032e7d929184f8ad8a33716b75c0657 SHA256:de8d411556cccbb9a68a4b40f847e473593336412de86fb3f6f7f61f3923c09e Referenced In Project/Scope: java-sec-code:compile spring-plugin-core-1.2.0.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.springfox/springfox-swagger2@2.9.2
File Path: /home/khannasa/.m2/repository/org/springframework/plugin/spring-plugin-metadata/1.2.0.RELEASE/spring-plugin-metadata-1.2.0.RELEASE.jar MD5: 63a461c6e878b1a510f0bb5c58b7ade7 SHA1: 97223fc496b6cab31602eedbd4202aa4fff0d44f SHA256:aa58a6e6d038553b6bfae03bd18cd985e4bfb37cb2fb6406551b87f57283b00a Referenced In Project/Scope: java-sec-code:compile spring-plugin-metadata-1.2.0.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.springfox/springfox-swagger2@2.9.2
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/security/spring-security-config/4.2.12.RELEASE/spring-security-config-4.2.12.RELEASE.jar MD5: 51e2debb3aab977944731ede0ca9cbb8 SHA1: 19a2d650433e4b71ba32b833e8b6bacfd8bc76a3 SHA256:2bb66116a3e6fcef60e9490f44f1e19888b8033fcfa6701b0eb4d711a613c9c6 Referenced In Project/Scope: java-sec-code:compile spring-security-config-4.2.12.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-20862 for details
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/security/spring-security-core/4.2.1.RELEASE/spring-security-core-4.2.1.RELEASE.jar MD5: fcc2d53ce70be65eabefd2f62791900b SHA1: 4e8ae0eb3218e1cacc3d7bd2eb41929799340618 SHA256:a2e9e975d24e5f1433021333f9320aef9184bab9023da8a4b2b7405fe630c435 Referenced In Project/Scope: java-sec-code:compile spring-security-core-4.2.1.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.security/spring-security-web@4.2.12.RELEASE
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
An issue was discovered in Pivotal Spring Security 4.2.0.RELEASE through 4.2.2.RELEASE, and Spring Security 5.0.0.M1. When configured to enable default typing, Jackson contained a deserialization vulnerability that could lead to arbitrary code execution. Jackson fixed this vulnerability by blacklisting known "deserialization gadgets." Spring Security configures Jackson with global default typing enabled, which means that (through the previous exploit) arbitrary code could be executed if all of the following is true: (1) Spring Security's Jackson support is being leveraged by invoking SecurityJackson2Modules.getModules(ClassLoader) or SecurityJackson2Modules.enableDefaultTyping(ObjectMapper); (2) Jackson is used to deserialize data that is not trusted (Spring Security does not perform deserialization using Jackson, so this is an explicit choice of the user); and (3) there is an unknown (Jackson is not blacklisting it already) "deserialization gadget" that allows code execution present on the classpath. Jackson provides a blacklisting approach to protecting against this type of attack, but Spring Security should be proactive against blocking unknown "deserialization gadgets" when Spring Security enables default typing.
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
Spring Security RSA is a small utility library for RSA ciphers.
It belongs to the family of Spring Security crypto libraries that handle encoding and decoding text as
a general, useful thing to be able to do.
File Path: /home/khannasa/.m2/repository/org/springframework/security/spring-security-rsa/1.0.3.RELEASE/spring-security-rsa-1.0.3.RELEASE.jar MD5: 02d29965d42274d0f5c8c70892c558f1 SHA1: b0b1ee770597b5de1b51e9a889dfd2dc35d251b0 SHA256:957c82424689b33050ec265867cf5c7c021cc7fc185bcb47f708b049af9af30b Referenced In Project/Scope: java-sec-code:compile spring-security-rsa-1.0.3.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
The Apache Software License, Version 2.0: https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/security/spring-security-web/4.2.12.RELEASE/spring-security-web-4.2.12.RELEASE.jar MD5: ffd237d86bd9a3a8dde70d112a27c556 SHA1: 841a10bd80c682549d90f065276f5164519800e5 SHA256:88313c11bc23e9245142ffeaa9f0236eb09e2d58729afdd30355a7445f4f3fb3 Referenced In Project/Scope: java-sec-code:compile spring-security-web-4.2.12.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
In spring security versions prior to 5.4.11+, 5.5.7+ , 5.6.4+ and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with `.` in the regular expression are possibly vulnerable to an authorization bypass.
Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.
Spring Security, versions 4.2.x up to 4.2.12, and older unsupported versions support plain text passwords using PlaintextPasswordEncoder. If an application using an affected version of Spring Security is leveraging PlaintextPasswordEncoder and a user has a null encoded password, a malicious user (or attacker) can authenticate using a password of "null".
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed null initialization vector with CBC Mode in the implementation of the queryable text encryptor. A malicious user with access to the data that has been encrypted using such an encryptor may be able to derive the unencrypted values using a dictionary attack.
In Spring Security, versions 5.7.x prior to 5.7.8, versions 5.8.x prior to 5.8.3, and versions 6.0.x prior to 6.0.3, the logout support does not properly clean the security context if using serialized versions. Additionally, it is not possible to explicitly save an empty security context to the HttpSessionSecurityContextRepository. This vulnerability can keep users authenticated even after they performed logout. Users of affected versions should apply the following mitigation. 5.7.x users should upgrade to 5.7.8. 5.8.x users should upgrade to 5.8.3. 6.0.x users should upgrade to 6.0.3.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2023-20862 for details
Spring Security versions 5.5.x prior to 5.5.7, 5.6.x prior to 5.6.4, and earlier unsupported versions contain an integer overflow vulnerability. When using the BCrypt class with the maximum work factor (31), the encoder does not perform any salt rounds, due to an integer overflow error. The default settings are not affected by this CVE.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/spring-web/4.3.6.RELEASE/spring-web-4.3.6.RELEASE.jar MD5: aca2094ae74e7a6b5aab587c44b5cff6 SHA1: 8b8bf8fc6ed4acd5ae0baa6179f1cccc52aaa9aa SHA256:67ecfc4bb2b225723825a80fcdc823f332d4d66634515a153915af1ded227478 Referenced In Project/Scope: java-sec-code:compile spring-web-4.3.6.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
Date Added: 2022-04-04
Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-04-25
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/springframework/spring-webmvc/4.3.6.RELEASE/spring-webmvc-4.3.6.RELEASE.jar MD5: 5e2a226fb55ed5d774a720b8839458e1 SHA1: ea55690d6d61ad70e2569db1e1add1603e427862 SHA256:5938eae0e70bb383292bbbeed011e3b613f63a9e3c249b24b5df23e7ca4f2822 Referenced In Project/Scope: java-sec-code:compile spring-webmvc-4.3.6.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.16 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. This CVE addresses the partial fix for CVE-2018-1270 in the 4.3.x branch of the Spring Framework.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Name: Spring Framework JDK 9+ Remote Code Execution Vulnerability
Date Added: 2022-04-04
Description: Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding.
Required Action: Apply updates per vendor instructions.
Due Date: 2022-04-25
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
CWE-94 Improper Control of Generation of Code ('Code Injection')
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
Spring Framework, versions 5.0.x prior to 5.0.6, versions 4.3.x prior to 4.3.17, and older unsupported versions allows applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a regular expression, denial of service attack.
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.
Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2020-5397 for details
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
CWE-770 Allocation of Resources Without Limits or Throttling
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
JSON API documentation for spring based applications
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/io/springfox/springfox-core/2.9.2/springfox-core-2.9.2.jar MD5: 28b0d37b0ce9483597466f49a37ce562 SHA1: 2e26f58939c594fb5c958c3a1c7bedf83d2f2702 SHA256:70ed452095f0cf4d916d4f5120e79f9ea7ba609f4fdfb1f6e863227c20dd0a0b Referenced In Project/Scope: java-sec-code:compile springfox-core-2.9.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.springfox/springfox-swagger2@2.9.2
JSON API documentation for spring based applications
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/io/springfox/springfox-schema/2.9.2/springfox-schema-2.9.2.jar MD5: 2d5a141a7c85c9b82acb4c16710c36ee SHA1: e268f38774b16bb51a92ccaef0dcf3dc651c0cee SHA256:f289487967890dbb3698aaa9eaaac656c9bb9e30ee8cd399980ae8d8f888783f Referenced In Project/Scope: java-sec-code:compile springfox-schema-2.9.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.springfox/springfox-swagger2@2.9.2
JSON API documentation for spring based applications
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/io/springfox/springfox-spi/2.9.2/springfox-spi-2.9.2.jar MD5: 1433cbbb72dabde215e83f1e4faa5cbf SHA1: 6ac686190a6ceaccdae8b50d03b0501d144a6666 SHA256:8e0d6a9ef7b75060f2fd1797759880d259b292c159043bd624d68f1b57734d79 Referenced In Project/Scope: java-sec-code:compile springfox-spi-2.9.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.springfox/springfox-swagger2@2.9.2
JSON API documentation for spring based applications
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/io/springfox/springfox-spring-web/2.9.2/springfox-spring-web-2.9.2.jar MD5: 427322d64ff9ce6fa431afe35329f52b SHA1: ed2ed714a6cba8804d00f80f0534901e4c7a3211 SHA256:df925e7a2435de246afd68b83800e1f2a4b6d8031692298740e261a4a9b30b3d Referenced In Project/Scope: java-sec-code:compile springfox-spring-web-2.9.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.springfox/springfox-swagger2@2.9.2
JSON API documentation for spring based applications
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/io/springfox/springfox-swagger-common/2.9.2/springfox-swagger-common-2.9.2.jar MD5: bd3d55991beef2ca5e98ee61215c33da SHA1: b38a41b3044af80cb7f41f67be5d158c9f6491ec SHA256:1d8534e2d38f989a84900166264cde966e9368ce0af74ce5ddda48ab6cd744fb Referenced In Project/Scope: java-sec-code:compile springfox-swagger-common-2.9.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.springfox/springfox-swagger2@2.9.2
JSON API documentation for spring based applications
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/io/springfox/springfox-swagger-ui/2.9.2/springfox-swagger-ui-2.9.2.jar MD5: 83e94205067bcdcfafaaa4e08f38ef81 SHA1: d542382a88ff3ea8d4032c28b2b0325797fada7d SHA256:44ee72b046428a694c44095c60f8156bcc505faff2d5b142b0f8175a6570b307 Referenced In Project/Scope: java-sec-code:compile springfox-swagger-ui-2.9.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
JSON API documentation for spring based applications
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/io/springfox/springfox-swagger2/2.9.2/springfox-swagger2-2.9.2.jar MD5: 34d27cb411e654f3c2b69bf536984e77 SHA1: 362676bc7f4c6f9f1d568741becab0dfc198c898 SHA256:5341bf351c3e14e5a8436f81eeb2dc8f9f07ef83c8cd046b4e0edea33d0f8c52 Referenced In Project/Scope: java-sec-code:compile springfox-swagger2-2.9.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
StAX is a standard XML processing API that allows you to stream XML data from and to your application.
License:
GNU General Public Library: http://www.gnu.org/licenses/gpl.txt
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.html
File Path: /home/khannasa/.m2/repository/javax/xml/stream/stax-api/1.0-2/stax-api-1.0-2.jar MD5: 7d18b63063580284c3f5734081fdc99f SHA1: d6337b0de8b25e53e81b922352fbea9f9f57ba0b SHA256:e8c70ebd76f982c9582a82ef82cf6ce14a7d58a4a4dca5cb7b7fc988c80089b7 Referenced In Project/Scope: java-sec-code:runtime stax-api-1.0-2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
StAX API is the standard java XML processing API defined by JSR-173
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/stax/stax-api/1.0.1/stax-api-1.0.1.jar MD5: 7d436a53c64490bee564c576babb36b4 SHA1: 49c100caf72d658aca8e58bd74a4ba90fa2b0d70 SHA256:d1968436fc216c901fb9b82c7e878b50fd1d30091676da95b2edd3a9c0ccf92e Referenced In Project/Scope: java-sec-code:compile stax-api-1.0.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
License:
The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/khannasa/.m2/repository/org/codehaus/woodstox/stax2-api/3.1.4/stax2-api-3.1.4.jar MD5: c08e89de601b0a78f941b2c29db565c3 SHA1: ac19014b1e6a7c08aad07fe114af792676b685b7 SHA256:86d7c0b775a7c9b454cc6ba61d40a8eb3b99cc129f832eb9b977a3755b4b338e Referenced In Project/Scope: java-sec-code:runtime stax2-api-3.1.4.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.
StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization.
It evolved over years of effort developing jGuru.com.
StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic
is that unlike other engines, it strictly enforces model-view separation.
Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.
There are currently about 600 StringTemplate source downloads a month.
License:
BSD licence: http://antlr.org/license.html
File Path: /home/khannasa/.m2/repository/org/antlr/stringtemplate/3.2.1/stringtemplate-3.2.1.jar MD5: b58ca53e518a92a1991eb63b61917582 SHA1: 59ec8083721eae215c6f3caee944c410d2be34de SHA256:f66ce72e965e5301cb0f020e54d2ba6ad76feb91b3cbfc30dbbf00c06a6df6d7 Referenced In Project/Scope: java-sec-code:runtime stringtemplate-3.2.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
File Path: /home/khannasa/.m2/repository/io/swagger/swagger-annotations/1.5.20/swagger-annotations-1.5.20.jar MD5: 619f94ec2cfa0276622657810eada472 SHA1: 16051f93ce11ca489a5313775d825f82fcc2cd6c SHA256:69dee1ef78137a3ac5f9716193224049eab41b83fc6b845c2522efceb0af0273 Referenced In Project/Scope: java-sec-code:compile swagger-annotations-1.5.20.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.springfox/springfox-swagger2@2.9.2
File Path: /home/khannasa/.m2/repository/io/swagger/swagger-models/1.5.20/swagger-models-1.5.20.jar MD5: 9a816507533880637936bee8c27b238e SHA1: fb3a23bad80c5ed84db9dd150db2cba699531458 SHA256:0adbb590fc665f17594f8bc7acce6871ed5602c8a50d0ad5419e3b72efaef639 Referenced In Project/Scope: java-sec-code:compile swagger-models-1.5.20.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/io.springfox/springfox-swagger2@2.9.2
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/thymeleaf/thymeleaf/2.1.5.RELEASE/thymeleaf-2.1.5.RELEASE.jar MD5: a7e95d2915820f069a220b66ba65232f SHA1: 513bffa3daaac277460c1a0a2dccb228fa40569e SHA256:f23eaecff7b6361919416ef6ee06052b6d5a2b7a409047c67a8f4264dd01d2b9 Referenced In Project/Scope: java-sec-code:compile thymeleaf-2.1.5.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@1.5.1.RELEASE
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
A dialect for Thymeleaf that allows you to use layout/decorator templates to style your content.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/nz/net/ultraq/thymeleaf/thymeleaf-layout-dialect/1.4.0/thymeleaf-layout-dialect-1.4.0.jar MD5: c7f68cea0796caf11585998f3bbe858f SHA1: 08d7810c069ed1534b9631fb1e85c35973546086 SHA256:fd844d2e2fe97ca92f66cc8584cd1246f975a728ea95065ada1d82322267a52e Referenced In Project/Scope: java-sec-code:compile thymeleaf-layout-dialect-1.4.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@1.5.1.RELEASE
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/thymeleaf/thymeleaf-spring4/2.1.5.RELEASE/thymeleaf-spring4-2.1.5.RELEASE.jar MD5: 3fd4f26581a703c6a8a698356d14216a SHA1: 74cb9028e99597b5d71a98e919fd531a7fc290b4 SHA256:1e5b114ec1cffb6cbd4cc83cb16690d40c58e1175aba41cdf4274155c59ac859 Referenced In Project/Scope: java-sec-code:compile thymeleaf-spring4-2.1.5.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@1.5.1.RELEASE
Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/tomcat/tomcat-annotations-api/8.5.85/tomcat-annotations-api-8.5.85.jar MD5: a547f5c74adc1046830867c37f2b7e87 SHA1: fef43417f20381186247c0af1f85e7d60e82f085 SHA256:4a0d8702fe6d50777ae5b0ce0192b514221ae53c82116e557c5522cb54ffab83 Referenced In Project/Scope: java-sec-code:compile tomcat-annotations-api-8.5.85.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.85/tomcat-embed-core-8.5.85.jar MD5: 1f0d439166806481c3c5af923fd972ec SHA1: 5dc09ff658c7387f0a6724515e6b6fbd56965f5f SHA256:7c350a8ad6b07d158e3bdc468e9ba18eaca27f90ec7e16ac9f33bcf869ea2e51 Referenced In Project/Scope: java-sec-code:compile tomcat-embed-core-8.5.85.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.
Incomplete Cleanup vulnerability in Apache Tomcat.
The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased,
in progress refactoring that exposed a potential denial of service on
Windows if a web application opened a stream for an uploaded file but
failed to close the stream. The file would never be deleted from disk
creating the possibility of an eventual denial of service due to the
disk being full.
Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.
The vulnerability is limited to the ROOT (default) web application.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could
cause Tomcat to skip some parts of the recycling process leading to
information leaking from the current request/response to the next.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially
crafted, invalid trailer header could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/tomcat/embed/tomcat-embed-el/8.5.85/tomcat-embed-el-8.5.85.jar MD5: 8fd7d18d9f2a7e1c65b5f99853856ffa SHA1: 118826c9bd710689ec0d1bdc2b15588afa111c56 SHA256:a38872cc4cb22697133764d9184e12905edcc64cb92b38a6d18dc86a8352b198 Referenced In Project/Scope: java-sec-code:compile tomcat-embed-el-8.5.85.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/8.5.85/tomcat-embed-websocket-8.5.85.jar MD5: 17d0be26a0fe25e4c526463dabe72d99 SHA1: 96e4e7d3eb20dc8712dc5ed8dcaba749ee8b9d3e SHA256:e654eb8fcfad5a0f9f323b26f14b886edc4af34a5f275d7eec3b83396129edc1 Referenced In Project/Scope: java-sec-code:compile tomcat-embed-websocket-8.5.85.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.
Incomplete Cleanup vulnerability in Apache Tomcat.
The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased,
in progress refactoring that exposed a potential denial of service on
Windows if a web application opened a stream for an uploaded file but
failed to close the stream. The file would never be deleted from disk
creating the possibility of an eventual denial of service due to the
disk being full.
Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92.
The vulnerability is limited to the ROOT (default) web application.
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could
cause Tomcat to skip some parts of the recycling process leading to
information leaking from the current request/response to the next.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially
crafted, invalid trailer header could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/tomcat/tomcat-jdbc/8.5.85/tomcat-jdbc-8.5.85.jar MD5: c0c4e6a9167648990679424a09f3b589 SHA1: 5ef53770e031c860f87fad5cacf63aa148104e8b SHA256:499a8ab6b9b76b77848005a391c9f5b652c566e693bdf18e9dda20a5806542cb Referenced In Project/Scope: java-sec-code:compile tomcat-jdbc-8.5.85.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.mybatis.spring.boot/mybatis-spring-boot-starter@1.3.2
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/tomcat/tomcat-juli/8.5.85/tomcat-juli-8.5.85.jar MD5: 5a85d1659ca1e4535ba036a0b23179ec SHA1: 8269b90811c52ba431772bdc5b713eb543591c96 SHA256:e3df21279d3b0791f9ccd30ee83665c403643e8eaa9000860a9d21a3a793f5f1 Referenced In Project/Scope: java-sec-code:compile tomcat-juli-8.5.85.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.mybatis.spring.boot/mybatis-spring-boot-starter@1.3.2
Advanced yet easy-to-use escape/unescape library for Java
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/unbescape/unbescape/1.1.0.RELEASE/unbescape-1.1.0.RELEASE.jar MD5: 9bccbc680238d9352156891cf53b96b4 SHA1: ab0db4fe0a6fa89fb8da2a40008a4e63a7f3f5b9 SHA256:479f5c5473f69937f5f97b12a78792d0030e9765bbf206af35bc501116a01d87 Referenced In Project/Scope: java-sec-code:compile unbescape-1.1.0.RELEASE.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-thymeleaf@1.5.1.RELEASE
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/javax/validation/validation-api/1.1.0.Final/validation-api-1.1.0.Final.jar MD5: 4c257f52462860b62ab3cdab45f53082 SHA1: 8613ae82954779d518631e05daa73a6a954817d5 SHA256:f39d7ba7253e35f5ac48081ec1bc28c5df9b32ac4b7db20853e5a8e76bf7b0ed Referenced In Project/Scope: java-sec-code:compile validation-api-1.1.0.Final.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE
Apache Velocity is a general purpose template engine.
File Path: /home/khannasa/.m2/repository/org/apache/velocity/velocity/1.7/velocity-1.7.jar MD5: 3692dd72f8367cb35fb6280dc2916725 SHA1: 2ceb567b8f3f21118ecdec129fe1271dbc09aa7a SHA256:ec92dae810034f4b46dbb16ef4364a4013b0efb24a8c5dd67435cae46a290d8e Referenced In Project/Scope: java-sec-code:compile velocity-1.7.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
Woodstox is a high-performance XML processor that
implements Stax (JSR-173) and SAX2 APIs
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/codehaus/woodstox/woodstox-core-asl/4.4.1/woodstox-core-asl-4.4.1.jar MD5: 1f53f91f117288fb2ef2e120f27e5498 SHA1: 84fee5eb1a4a1cefe65b6883c73b3fa83be3c1a1 SHA256:274fa403ed08c0d6f2f574dc1916adaaaec9a493e56d6442f8797ede620bca65 Referenced In Project/Scope: java-sec-code:runtime woodstox-core-asl-4.4.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
A processor for parsing, validating, serializing and manipulating XML, written in Java
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/khannasa/.m2/repository/com/rackspace/apache/xerces2-xsd11/2.11.1/xerces2-xsd11-2.11.1.jar MD5: 309f809155fc5c4adaf29622c9ffee05 SHA1: a177954cbe5f1dcf1cc04d2dd0e75deebb902f89 SHA256:505e797d1140876ec848d729715a2c409b7fa00a8d538ab9b5a393ff5f9bd9ea Referenced In Project/Scope: java-sec-code:compile xerces2-xsd11-2.11.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.monitorjbl/xlsx-streamer@2.0.0
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
File Path: /home/khannasa/.m2/repository/com/monitorjbl/xlsx-streamer/2.0.0/xlsx-streamer-2.0.0.jar MD5: 0a4218280443fb635e9a7dbbb7fd31fd SHA1: 5f879eed9795c4ffe361337b9ae3c4f5f20197da SHA256:21e2f83a355991a184f8ddcb706e4fc1d93a0e2cf4a572f040caa01562546bfb Referenced In Project/Scope: java-sec-code:compile xlsx-streamer-2.0.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Excel-Streaming-Reader is an easy-to-use implementation of a streaming Excel reader using Apache POI. Prior to xlsx-streamer 2.1.0, the XML parser that was used did apply all the necessary settings to prevent XML Entity Expansion issues. Upgrade to version 2.1.0 to receive a patch. There is no known workaround.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier. The External Components portion of xml-commons contains
interfaces that are defined by external standards organizations. For DOM,
that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for
JAXP it's Sun.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
The SAX License: http://www.saxproject.org/copying.html
The W3C License: http://www.w3.org/TR/2004/REC-DOM-Level-3-Core-20040407/java-binding.zip
File Path: /home/khannasa/.m2/repository/xml-apis/xml-apis/1.4.01/xml-apis-1.4.01.jar MD5: 7eaad6fea5925cca6c36ee8b3e02ac9d SHA1: 3789d9fada2d3d458c4ba2de349d48780f381ee3 SHA256:a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad Referenced In Project/Scope: java-sec-code:compile xml-apis-1.4.01.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.monitorjbl/xlsx-streamer@2.0.0
xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier.
File Path: /home/khannasa/.m2/repository/xml-resolver/xml-resolver/1.2/xml-resolver-1.2.jar MD5: 706c533146c1f4ee46b66659ea14583a SHA1: 3d0f97750b3a03e0971831566067754ba4bfd68c SHA256:47dcde8986019314ef78ae7280a94973a21d2ed95075a40a000b42da956429e1 Referenced In Project/Scope: java-sec-code:compile xml-resolver-1.2.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.monitorjbl/xlsx-streamer@2.0.0
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/apache/xmlbeans/xmlbeans/2.3.0/xmlbeans-2.3.0.jar MD5: 64b05e7adad68fa65d02a8b6daa64afb SHA1: 8704dcf5c9f10265a08f5020b0fab70eb64ac3c4 SHA256:c63808344ea50d9741b266362996557bac8587cdc4f3faf13bbec95296d353e3 Referenced In Project/Scope: java-sec-code:compile xmlbeans-2.3.0.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/org.apache.poi/poi-ooxml@3.9
The XML parsers used by XMLBeans up to version 2.6.0 did not set the properties needed to protect the user from malicious XML input. Vulnerabilities include possibilities for XML Entity Expansion attacks. Affects XMLBeans up to and including v2.6.0.
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
The coolest XML library for Java around. Define typesafe views (projections) to xml. Use XPath to read and write XML. Bind XML to Java collections. Requires at least Java6, supports Java8 features and has no further runtime dependencies.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/khannasa/.m2/repository/org/xmlbeam/xmlprojector/1.4.13/xmlprojector-1.4.13.jar MD5: 55c1c4b360d1b8a80fca35dcb807fd4b SHA1: a6493527e7f029f133ad587621228593d304c2ea SHA256:2c7d2361fb8ccc9fef60a2ff87d3e4f7c0191e5bbdf3e3119b83a4570c3b290d Referenced In Project/Scope: java-sec-code:compile xmlprojector-1.4.13.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Public Domain: http://www.xmlpull.org/v1/download/unpacked/LICENSE.txt
File Path: /home/khannasa/.m2/repository/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar MD5: cc57dacc720eca721a50e78934b822d2 SHA1: 2b8e230d2ab644e4ecaa94db7cdedbc40c805dfa SHA256:34e08ee62116071cbb69c0ed70d15a7a5b208d62798c59f2120bb8929324cb63 Referenced In Project/Scope: java-sec-code:compile xmlpull-1.1.3.1.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.thoughtworks.xstream/xstream@1.4.10
MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.
License:
Indiana University Extreme! Lab Software License, vesion 1.1.1: http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt
Public Domain: http://creativecommons.org/licenses/publicdomain
File Path: /home/khannasa/.m2/repository/xpp3/xpp3_min/1.1.4c/xpp3_min-1.1.4c.jar MD5: dcd95bcb84b09897b2b66d4684c040da SHA1: 19d4e90b43059058f6e056f794f0ea4030d60b86 SHA256:bfc90e9e32d0eab1f397fb974b5f150a815188382ac41f372a7149d5bc178008 Referenced In Project/Scope: java-sec-code:compile xpp3_min-1.1.4c.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/com.thoughtworks.xstream/xstream@1.4.10
File Path: /home/khannasa/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar MD5: d00eec778910f95b26201395ac64cca0 SHA1: dfecae23647abc9d9fd0416629a4213a3882b101 SHA256:a1587f35fa617513607c86ec9e6e4de5eb8acdf9a3a6d7f7458f8a8c40b00858 Referenced In Project/Scope: java-sec-code:compile xstream-1.4.10.jar is in the transitive dependency tree of the listed items.Included by: pkg:maven/sec/java-sec-code@1.0.0
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
CWE-94 Improper Control of Generation of Code ('Code Injection')
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-502 Deserialization of Untrusted Data, CWE-918 Server-Side Request Forgery (SSRF)
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
CWE-502 Deserialization of Untrusted Data, CWE-94 Improper Control of Generation of Code ('Code Injection')
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-502 Deserialization of Untrusted Data, CWE-918 Server-Side Request Forgery (SSRF)
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
Description: XStream contains a remote code execution vulnerability that allows an attacker to manipulate the processed input stream and replace or inject objects that result in the execution of a local command on the server. This vulnerability can affect multiple products, including but not limited to VMware Cloud Foundation.
Required Action: Apply updates per vendor instructions.
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-502 Deserialization of Untrusted Data, CWE-306 Missing Authentication for Critical Function
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
CWE-502 Deserialization of Untrusted Data, CWE-918 Server-Side Request Forgery (SSRF)
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the [Security Framework](https://x-stream.github.io/security.html#framework), you will have to use at least version 1.4.18.
CWE-502 Deserialization of Untrusted Data, CWE-918 Server-Side Request Forgery (SSRF)
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-434 Unrestricted Upload of File with Dangerous Type, CWE-502 Deserialization of Untrusted Data
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion'), CWE-502 Deserialization of Untrusted Data
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
CWE-502 Deserialization of Untrusted Data, CWE-73 External Control of File Name or Path
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.
Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
XStream serializes Java objects to XML and back again. Versions prior to 1.4.20 may allow a remote attacker to terminate the application with a stack overflow error, resulting in a denial of service only via manipulation the processed input stream. The attack uses the hash code implementation for collections and maps to force recursive hash calculation causing a stack overflow. This issue is patched in version 1.4.20 which handles the stack overflow and raises an InputManipulationException instead. A potential workaround for users who only use HashMap or HashSet and whose XML refers these only as default map or set, is to change the default implementation of java.util.Map and java.util per the code example in the referenced advisory. However, this implies that your application does not care about the implementation of the map and all elements are comparable.
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
CWE-502 Deserialization of Untrusted Data, CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')